Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
5
Helpful
3
Replies

ASA Cluster and use IPS

Jordi Benet
Level 1
Level 1

‎03-21-2014 04:01 AM - edited ‎03-11-2019 08:58 PM

Hi,

I wanted to implent a cluster of 4 ASA 5585-X between DCs. Before the firewall I would like to use the  IPS module.

 

My three quesitons are:

- Can I use the IPS software appliance if the firewalls are clustered and avoid the IPS hardware module?

- In case I have to use the IPS hardware, how the IPS in slot 1 will communicate to the slot 0 ASA Firewall? I will need to do a hardware connection between them like with different VDCs on N7k?

- I will have to put physical links from our core switch to the IPS and then the traffic will go to the firewall and go back to the switch, or I will only put physical connections on the slot 0 ASA Firewall?

 

There is any documentation for this?

 

Thanks a lot.


Regards,

 

J

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-21-2014 08:09 AM

The IPS module in an ASA 5585 would needs to be in each of the units if you want to use a service-policy redirection to the IPS module. That applies whether you are using the "old school" IPS on an SSP or the NGFW (CX) IPS type.

The communications between a given firewall and its IPS module is via the backplane and is completely internal to the ASA - so no external physical connection is required.

The IPS in clustering scenario is mentioned only briefly in the configuration guide here.

Jordi Benet
Level 1
Level 1
In response to Marvin Rhoads

‎03-21-2014 08:22 AM

Hi Marvin,

thanks a lot for the reply.

So if the communication is via the backplane I get extra ports.

My question is, there is any document explaining the FW cluster implementation with the External subnets and the internal subnets going through a different physical link?

All the diagrams they use the same physical interface for the external traffic and internal traffic. It is because it is not possible to have different physical links for the cluster?

Thank you very much.

Regards,

J

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jordi Benet

‎03-21-2014 10:34 AM

You're welcome Jordi.

I'm not sure if I follow your question about external and internal subnets. We would normally (almost always) see these on different sets of physical interfaces.

For example, have a look at the Cisco Live presentation on ASA clustering - BRKSEC-3032 from Milan. In the presentation, slides 21 and 23 illustrate the two modes (spanned Etherchannel and individual interface). In both examples, the inside and outside use distinct physical interfaces.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card