cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
704
Views
0
Helpful
8
Replies

site-to-site resilience link

josephschung
Level 1
Level 1

Dear Sir,

As shown in the diagram, we are extending network setments from one site to another site. 3DES is needed for WAN links, which are used to backup each other. Do I need to configure the pair of ASA to A/S mode to achieve this?

One of the site allow rack mount equipment only. 5505 seems does not has rack mount model.

Which models of ASA should I use to meet the requirement with the least cost?

Thanks.

8 Replies 8

roshan.maskey
Level 1
Level 1

Hi Joseph,

ASA5505 is targeted for small branches. It is not a rack mount model. But it supports stateless Active Standby Failover with purchase of Security Plus License.

ASA5510 is standard rack mount firewall. It too doesn't support Active/Active Failover, but Active/Standby failover is supported with Security Plus upgrade.

The ASA product that support 3DES/AES is marked with -K9. The product marked with -K8 only supports DES encryption.

In that case, should I purchase two 5505 for site with rack mount requirement. For the site need to have rack mount model, we will go for 5510.

Site 1 : 2 x ASA5505-SEC-BUN-K9

Site 2 : 2 x ASA5510-SEC-BUN-K9

Both sides of VPN will be configured in A/S and let the links backup each other.

Thanks.

Hi Joseph,

You can have that but before purchasing ASA5505 supports stateless Failover that is the connection has to be re-established where as ASA5510 supports statefull Failover

you can find comparison in the below link

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Refering to the diagram, both links are backing up each other. I think I need the A/A feature as both links need to be activated at the same time. Thus, the only choice is 5510. Am I right?

Hi Joseph,

Cisco ASA to support active/active mode need multiple context mode. Unfortunately multiple context mode doesn't support IPSec or SSL VPN.

Refer this link for more information about multiple context mode:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html

If your main concern is just for VPN redundancy, then ASA5505 good enough. But, at the end it is your call.

H2H

Roshan

Hi Roshan,

Do you mean the design CANNOT be achieved? Without A/A, how can the two links backup each other?

Thanks

Hi,

VPN is not supported in A/A mode, so you have to run ASA in A/S mode.

You have planned to alternate Primary Link for two sites, which you have to change. Since, only one device will be active in A/S mode, primary link for both the sites should be via Primary ASA.

Q:Without A/A, how can the two links backup each other?

As long as Primary ASA or both the primay Links are active, Primary ASA will operate. If either of Link goes down, Secondary ASA becomes Active, and will process all the traffic for both sites.

H2H

Roshan

Can we make sure of routing on layer 3 switches to make use of both links. From the diagram, for each subnet, we need to provide 100M bandwidth. Thus, if ASA cannot achieve this. Can we configure the switches to do it?

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: