IPS design

Unanswered Question
Feb 10th, 2009
User Badges:

I have 2 unit ASA 5520 with AIP-SSM-20 for front-end and 2 units ASA5520 with AIP_SSM-20 for back-end.I also have 2 units catalyst 6509. How should my design looks like.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rhermes Tue, 02/10/2009 - 08:46
User Badges:
  • Gold, 750 points or more

You need to provide much more detail on the goals your design is trying to achieve.

Are the asa pairs for reduntancy?

What do you mean front-end and back-end, to what?

What networks feed into and out of this hardware?

chiangfong Tue, 02/10/2009 - 17:35
User Badges:

Yes. Pairs of ASA is for redundancy. Front end mean to internet edge.Back end means internal network.

rhermes Wed, 02/11/2009 - 11:27
User Badges:
  • Gold, 750 points or more

ASA pairs for redundancy makes sence, but I do not understand why you are using two sets of firewalls? what is between these two ASA pairs?

chiangfong Wed, 02/11/2009 - 17:43
User Badges:

Between these two ASA pairs is a pair of catalyst 6509. The internal network is purely flat network. Do i need two pairs of ASA?


rhermes Thu, 02/12/2009 - 09:18
User Badges:
  • Gold, 750 points or more

It all depends on what you are trying to accomplish and what features you are using in each ASA. The outside ASA, as a firewall can host serveral inside networks (limited by the number of interfaces in the ASA) each netowrk can have a different firewall policy assigned. If that meets your firewall needs, then you might not require a second set of ASAs.

You have not provided enough network requirements detail to even make an guess of what you need.


This Discussion