ASA IDS Bundle clustering

Answered Question

Hello,


I have been tasked to implement for my company a security system based on firewall+IDS/IPS.


In order to limit the number of devices providing at the same time firewall system redundancy, I am considering to acquire two Cisco ASA 5540 (or 5520) IDS Bundle with AIP-SSM-20.

Considering that redundancy is required only for the Firewalling services (not for the IDS service), and considering also that one AIP-SSM-20 is enough to

control the traffic in my company network, my questions are:


- can I use only one AIP-SSM-20 updating it with only one Cisco Service contract for IDS while keeping the second AIP-SSM-20 as a "cold spare"?


- can I create a cluster using one Cisco ASA5540 with AIP-SSM-20 and another Cisco ASA5540 without AIP-SSM-20? (Basing on my understanding, in order to form a cluster Cisco ASAs have to be equipped with exactly the same modules quantity and type. Am I wrong?)


Your help is much appreciated

Thanks

Luca

Correct Answer by praprama about 6 years 7 months ago

Hey,


> can I use only one AIP-SSM-20 updating it with only one Cisco Service  contract for IDS while keeping the second AIP-SSM-20 as a "cold spare"


I am not sure i quite get you over here. Well if you are using the 2 ASAs in failover, then we will need to have the same module in both the ASAs and in this case, only one ASA/IPS combo will be active at any point of time. When we failover from one ASA to the other, automatically the other ASA/IPS combination will become active. So, any point of time only one IPS is going to be active.


> can I create a cluster using one Cisco ASA5540 with AIP-SSM-20 and  another Cisco ASA5540 without AIP-SSM-20? (Basing on my understanding,  in order to form a cluster Cisco ASAs have to be equipped with exactly  the same modules quantity and type. Am I wrong?)


yes your understanding is correct. We need to have the same hardware on both the ASAs. The config on the IPS does not really have to be the same, that is, the failover does not take into considertaion the config of the IPS modules neither does it sync config from one IPS module to the other. All this will have to be done manually.


Hope i have answered your queries. Let me know if there is something ambiguous or unanswered.


Regards,

Prapanch

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
praprama Thu, 09/16/2010 - 07:42
User Badges:
  • Cisco Employee,

Hey,


> can I use only one AIP-SSM-20 updating it with only one Cisco Service  contract for IDS while keeping the second AIP-SSM-20 as a "cold spare"


I am not sure i quite get you over here. Well if you are using the 2 ASAs in failover, then we will need to have the same module in both the ASAs and in this case, only one ASA/IPS combo will be active at any point of time. When we failover from one ASA to the other, automatically the other ASA/IPS combination will become active. So, any point of time only one IPS is going to be active.


> can I create a cluster using one Cisco ASA5540 with AIP-SSM-20 and  another Cisco ASA5540 without AIP-SSM-20? (Basing on my understanding,  in order to form a cluster Cisco ASAs have to be equipped with exactly  the same modules quantity and type. Am I wrong?)


yes your understanding is correct. We need to have the same hardware on both the ASAs. The config on the IPS does not really have to be the same, that is, the failover does not take into considertaion the config of the IPS modules neither does it sync config from one IPS module to the other. All this will have to be done manually.


Hope i have answered your queries. Let me know if there is something ambiguous or unanswered.


Regards,

Prapanch

Actions

This Discussion

Related Content