Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5525-X IPS Management IP addresses in HA mode

I am going to install ASA5525-X Firewall in HA mode and both have Software IPS modules and I was wondering how the management IP address will be configured in HA mode.

 

Is both IPS will have same management IP address?

I looking for some sample config for IPS management IP address configuration in HA mode.

 

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

The management of software

If you haven't seen it already, please review the ASA IPS Module Quick Start Guide.

The management of software IPS modules uses the physical management interface of the 5525-X with an IP address that is specified in the setup of the IPS module. This is distinct from any management address you may have setup in the base ASA.

Each IPS will have its own unique IP address.

The IPS modules themselves are not HA-aware and are essentially managed as two independent units. This improves if you move to the NGFW IPS and manage the unit via PRSM on an external server. In that scenario, the HA pair of IPS's are managed as a collective entity

The base ASAs of course share the service policy used to redirect traffic for IPS inspection and (when the service-policy calls for IPS module inspection) also verifies the operational state of the IPS modules as one of the checks done to validate failover status.

2 REPLIES

There should not be any big

There should not be any big difference in configuration for management. Even in normal scenario we can have the management access through both the active and stand by IP addresses to the respective devices. All it happens with mac address that uses when it is configured in failover mode.

 

Hope this helps

Regards

Karthik
 

Hall of Fame Super Silver

The management of software

If you haven't seen it already, please review the ASA IPS Module Quick Start Guide.

The management of software IPS modules uses the physical management interface of the 5525-X with an IP address that is specified in the setup of the IPS module. This is distinct from any management address you may have setup in the base ASA.

Each IPS will have its own unique IP address.

The IPS modules themselves are not HA-aware and are essentially managed as two independent units. This improves if you move to the NGFW IPS and manage the unit via PRSM on an external server. In that scenario, the HA pair of IPS's are managed as a collective entity

The base ASAs of course share the service policy used to redirect traffic for IPS inspection and (when the service-policy calls for IPS module inspection) also verifies the operational state of the IPS modules as one of the checks done to validate failover status.

261
Views
0
Helpful
2
Replies
CreatePlease login to create content