Cisco PIX Firewall
Hi, i ran into a problem a couple of days ago here at work. The thing is that i am configuring a couple of firewalls: one is active, cause has the old working configuration. The other one is only connected to th network, out of any failover config and passing no traffic.
I configured the non active firewall and set it up with the running config of the active firewall. The problem is that every single machine running windows on any network does not refresh its arp table, so, even though i set up the ip address on the interface to be the same one, the mac address on the firewall does not match the arp entry where the ip address line is.
So know that i know how to change the ip address, i need to find out how to change the mac address as well. Ive been researching like crazy all over google and cisco.com, to no avail.
Does anyone have a clue??
Thanks in advanced.
You need to use a high-availability mechanism. Cisco router uses HSRP. It works like this:
Physical IP address production box: 192.168.1.2
Physical IP address failover box: 192.168.1.3
Virtual IP address pointing to the production box and used as default gateway: 192.168.1.1
If the production box crashes, the default gateway stays 192.168.1.1 (no need to go manually change the IP of the failover box) and automatically points to the failover one.
I'm not 100% sure PIX support HSRP, if you don't see this command look for VRRP, another protocol doing the same thing.
Ok, failover is already configured on one of the pixs. The other is not, it has single mode running config. The problem is that i need to set the upgraded pix back to production with the same MAC address as the one that is currently in production (this means like entering a command to set the mac address of the device manually), meanwhile i upgrade the other one.
Ill have a look at this options cause i do believe i saw them mentioned in the cisco documentation.
Thanks man. 8)
oh ok, I don't think manually changing MAC addresses is a "good practice", but given the nature of your problem...
How about trying this:
set the upgraded pix back to production with the same IP (so you're gonna have the arp cache problem on the PC) and then ping from the PIX to the broadcast address (Make sure the PIX won't block the ping). This way all the PC on this subnetwork will see your new MAC address.
Just a thought, I am not sure that they will clear their arp cache, but it's a simple test you can quickly try.
If this works, you wouldn't have to tweak you MAC address