I wanted to implent a cluster of 4 ASA 5585-X between DCs. Before the firewall I would like to use the IPS module.
My three quesitons are:
- Can I use the IPS software appliance if the firewalls are clustered and avoid the IPS hardware module?
- In case I have to use the IPS hardware, how the IPS in slot 1 will communicate to the slot 0 ASA Firewall? I will need to do a hardware connection between them like with different VDCs on N7k?
- I will have to put physical links from our core switch to the IPS and then the traffic will go to the firewall and go back to the switch, or I will only put physical connections on the slot 0 ASA Firewall?
The IPS module in an ASA 5585 would needs to be in each of the units if you want to use a service-policy redirection to the IPS module. That applies whether you are using the "old school" IPS on an SSP or the NGFW (CX) IPS type.
The communications between a given firewall and its IPS module is via the backplane and is completely internal to the ASA - so no external physical connection is required.
The IPS in clustering scenario is mentioned only briefly in the configuration guide here.
I'm not sure if I follow your question about external and internal subnets. We would normally (almost always) see these on different sets of physical interfaces.
For example, have a look at the Cisco Live presentation on ASA clustering - BRKSEC-3032 from Milan. In the presentation, slides 21 and 23 illustrate the two modes (spanned Etherchannel and individual interface). In both examples, the inside and outside use distinct physical interfaces.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :