Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA/IPS in failover

we are doing test on implementing ASA 5520 with IPS module and having a failover solution. Need to clarify few things

1) As i understand ASA by default comes with 2 virtual license. We would like to use the 2 context in routed mode.

can i have the outside interface being shared and have a diff IP address

2) While referring the docs on cisco site, ASA with IPS module in failover will only failover the firewall and not the IPS.we have to manually failover the IPS. HOW TO DO THAT, WHEN say the active firewall fails with IPS module in it fails

does tht mean while implementing failover solution with ASA/IPS we can have IPS module in one unit and not the other.because if we have to manually failover the IPS then its better not to have ips module on the failover unit and only connect wehn required. because ASA can be configured to pass the traffic if the IPS module fails

Thanks

  • Firewalling
2 REPLIES
New Member

Re: ASA/IPS in failover

1) As i understand ASA by default comes with 2 virtual license. We would like to use the 2 context in routed mode.

can i have the outside interface being shared and have a diff IP address

Yes you could have a shared interface on the outside.

see the following example for FWSM and follow the path for configuration on ASA

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080602ff7.html#wp1032182

2) While referring the docs on cisco site, ASA with IPS module in failover will only failover the firewall and not the IPS.we have to manually failover the IPS. HOW TO DO THAT, WHEN say the active firewall fails with IPS module in it fails does tht mean while implementing failover solution with ASA/IPS we can have IPS module in one unit and not the other.because if we have to manually failover the IPS then its better not to have ips module on the failover unit and only connect wehn required. because ASA can be configured to pass the traffic if the IPS module fails

Yes you could have ASA module in failover pair and it should automatically failover except for the following 2 caveats

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml#fail

New Member

Re: ASA/IPS in failover

Hi,

thanks for the reply, but some part of question is nt clear. in failover asa can i have only one ips module. wht i need to know is whether i can run asa in failover with 2 asa's and only one ips module in active firewall

408
Views
0
Helpful
2
Replies
This widget could not be displayed.