04-07-2009 06:21 AM - edited 03-11-2019 08:15 AM
Dear Sir,
As shown in the diagram, we are extending network setments from one site to another site. 3DES is needed for WAN links, which are used to backup each other. Do I need to configure the pair of ASA to A/S mode to achieve this?
One of the site allow rack mount equipment only. 5505 seems does not has rack mount model.
Which models of ASA should I use to meet the requirement with the least cost?
Thanks.
04-07-2009 08:54 AM
Hi Joseph,
ASA5505 is targeted for small branches. It is not a rack mount model. But it supports stateless Active Standby Failover with purchase of Security Plus License.
ASA5510 is standard rack mount firewall. It too doesn't support Active/Active Failover, but Active/Standby failover is supported with Security Plus upgrade.
The ASA product that support 3DES/AES is marked with -K9. The product marked with -K8 only supports DES encryption.
04-07-2009 10:11 PM
In that case, should I purchase two 5505 for site with rack mount requirement. For the site need to have rack mount model, we will go for 5510.
Site 1 : 2 x ASA5505-SEC-BUN-K9
Site 2 : 2 x ASA5510-SEC-BUN-K9
Both sides of VPN will be configured in A/S and let the links backup each other.
Thanks.
04-08-2009 12:18 AM
Hi Joseph,
You can have that but before purchasing ASA5505 supports stateless Failover that is the connection has to be re-established where as ASA5510 supports statefull Failover
you can find comparison in the below link
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
04-17-2009 11:40 PM
Refering to the diagram, both links are backing up each other. I think I need the A/A feature as both links need to be activated at the same time. Thus, the only choice is 5510. Am I right?
04-20-2009 07:42 AM
Hi Joseph,
Cisco ASA to support active/active mode need multiple context mode. Unfortunately multiple context mode doesn't support IPSec or SSL VPN.
Refer this link for more information about multiple context mode:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html
If your main concern is just for VPN redundancy, then ASA5505 good enough. But, at the end it is your call.
H2H
Roshan
04-20-2009 07:49 AM
Hi Roshan,
Do you mean the design CANNOT be achieved? Without A/A, how can the two links backup each other?
Thanks
04-20-2009 07:59 AM
Hi,
VPN is not supported in A/A mode, so you have to run ASA in A/S mode.
You have planned to alternate Primary Link for two sites, which you have to change. Since, only one device will be active in A/S mode, primary link for both the sites should be via Primary ASA.
Q:Without A/A, how can the two links backup each other?
As long as Primary ASA or both the primay Links are active, Primary ASA will operate. If either of Link goes down, Secondary ASA becomes Active, and will process all the traffic for both sites.
H2H
Roshan
04-20-2009 06:46 PM
Can we make sure of routing on layer 3 switches to make use of both links. From the diagram, for each subnet, we need to provide 100M bandwidth. Thus, if ASA cannot achieve this. Can we configure the switches to do it?
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: