IPS design

Unanswered Question
Feb 10th, 2009

I have 2 unit ASA 5520 with AIP-SSM-20 for front-end and 2 units ASA5520 with AIP_SSM-20 for back-end.I also have 2 units catalyst 6509. How should my design looks like.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rhermes Tue, 02/10/2009 - 08:46

You need to provide much more detail on the goals your design is trying to achieve.

Are the asa pairs for reduntancy?

What do you mean front-end and back-end, to what?

What networks feed into and out of this hardware?

chiangfong Tue, 02/10/2009 - 17:35

Yes. Pairs of ASA is for redundancy. Front end mean to internet edge.Back end means internal network.

rhermes Wed, 02/11/2009 - 11:27

ASA pairs for redundancy makes sence, but I do not understand why you are using two sets of firewalls? what is between these two ASA pairs?

chiangfong Wed, 02/11/2009 - 17:43

Between these two ASA pairs is a pair of catalyst 6509. The internal network is purely flat network. Do i need two pairs of ASA?


rhermes Thu, 02/12/2009 - 09:18

It all depends on what you are trying to accomplish and what features you are using in each ASA. The outside ASA, as a firewall can host serveral inside networks (limited by the number of interfaces in the ASA) each netowrk can have a different firewall policy assigned. If that meets your firewall needs, then you might not require a second set of ASAs.

You have not provided enough network requirements detail to even make an guess of what you need.


This Discussion