site-to-site resilience link

Unanswered Question
Apr 7th, 2009

Dear Sir,

As shown in the diagram, we are extending network setments from one site to another site. 3DES is needed for WAN links, which are used to backup each other. Do I need to configure the pair of ASA to A/S mode to achieve this?

One of the site allow rack mount equipment only. 5505 seems does not has rack mount model.

Which models of ASA should I use to meet the requirement with the least cost?

Thanks.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
roshan.maskey Tue, 04/07/2009 - 08:54

Hi Joseph,

ASA5505 is targeted for small branches. It is not a rack mount model. But it supports stateless Active Standby Failover with purchase of Security Plus License.

ASA5510 is standard rack mount firewall. It too doesn't support Active/Active Failover, but Active/Standby failover is supported with Security Plus upgrade.

The ASA product that support 3DES/AES is marked with -K9. The product marked with -K8 only supports DES encryption.

josephschung Tue, 04/07/2009 - 22:11

In that case, should I purchase two 5505 for site with rack mount requirement. For the site need to have rack mount model, we will go for 5510.

Site 1 : 2 x ASA5505-SEC-BUN-K9

Site 2 : 2 x ASA5510-SEC-BUN-K9

Both sides of VPN will be configured in A/S and let the links backup each other.

Thanks.

josephschung Fri, 04/17/2009 - 23:40

Refering to the diagram, both links are backing up each other. I think I need the A/A feature as both links need to be activated at the same time. Thus, the only choice is 5510. Am I right?

roshan.maskey Mon, 04/20/2009 - 07:42

Hi Joseph,

Cisco ASA to support active/active mode need multiple context mode. Unfortunately multiple context mode doesn't support IPSec or SSL VPN.

Refer this link for more information about multiple context mode:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html

If your main concern is just for VPN redundancy, then ASA5505 good enough. But, at the end it is your call.

H2H

Roshan

josephschung Mon, 04/20/2009 - 07:49

Hi Roshan,

Do you mean the design CANNOT be achieved? Without A/A, how can the two links backup each other?

Thanks

roshan.maskey Mon, 04/20/2009 - 07:59

Hi,

VPN is not supported in A/A mode, so you have to run ASA in A/S mode.

You have planned to alternate Primary Link for two sites, which you have to change. Since, only one device will be active in A/S mode, primary link for both the sites should be via Primary ASA.

Q:Without A/A, how can the two links backup each other?

As long as Primary ASA or both the primay Links are active, Primary ASA will operate. If either of Link goes down, Secondary ASA becomes Active, and will process all the traffic for both sites.

H2H

Roshan

josephschung Mon, 04/20/2009 - 18:46

Can we make sure of routing on layer 3 switches to make use of both links. From the diagram, for each subnet, we need to provide 100M bandwidth. Thus, if ASA cannot achieve this. Can we configure the switches to do it?

Thanks.

Actions

This Discussion