Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site-to-site resilience link

Dear Sir,

As shown in the diagram, we are extending network setments from one site to another site. 3DES is needed for WAN links, which are used to backup each other. Do I need to configure the pair of ASA to A/S mode to achieve this?

One of the site allow rack mount equipment only. 5505 seems does not has rack mount model.

Which models of ASA should I use to meet the requirement with the least cost?

Thanks.

8 REPLIES
New Member

Re: site-to-site resilience link

Hi Joseph,

ASA5505 is targeted for small branches. It is not a rack mount model. But it supports stateless Active Standby Failover with purchase of Security Plus License.

ASA5510 is standard rack mount firewall. It too doesn't support Active/Active Failover, but Active/Standby failover is supported with Security Plus upgrade.

The ASA product that support 3DES/AES is marked with -K9. The product marked with -K8 only supports DES encryption.

New Member

Re: site-to-site resilience link

In that case, should I purchase two 5505 for site with rack mount requirement. For the site need to have rack mount model, we will go for 5510.

Site 1 : 2 x ASA5505-SEC-BUN-K9

Site 2 : 2 x ASA5510-SEC-BUN-K9

Both sides of VPN will be configured in A/S and let the links backup each other.

Thanks.

New Member

Re: site-to-site resilience link

Hi Joseph,

You can have that but before purchasing ASA5505 supports stateless Failover that is the connection has to be re-established where as ASA5510 supports statefull Failover

you can find comparison in the below link

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

New Member

Re: site-to-site resilience link

Refering to the diagram, both links are backing up each other. I think I need the A/A feature as both links need to be activated at the same time. Thus, the only choice is 5510. Am I right?

New Member

Re: site-to-site resilience link

Hi Joseph,

Cisco ASA to support active/active mode need multiple context mode. Unfortunately multiple context mode doesn't support IPSec or SSL VPN.

Refer this link for more information about multiple context mode:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html

If your main concern is just for VPN redundancy, then ASA5505 good enough. But, at the end it is your call.

H2H

Roshan

New Member

Re: site-to-site resilience link

Hi Roshan,

Do you mean the design CANNOT be achieved? Without A/A, how can the two links backup each other?

Thanks

New Member

Re: site-to-site resilience link

Hi,

VPN is not supported in A/A mode, so you have to run ASA in A/S mode.

You have planned to alternate Primary Link for two sites, which you have to change. Since, only one device will be active in A/S mode, primary link for both the sites should be via Primary ASA.

Q:Without A/A, how can the two links backup each other?

As long as Primary ASA or both the primay Links are active, Primary ASA will operate. If either of Link goes down, Secondary ASA becomes Active, and will process all the traffic for both sites.

H2H

Roshan

New Member

Re: site-to-site resilience link

Can we make sure of routing on layer 3 switches to make use of both links. From the diagram, for each subnet, we need to provide 100M bandwidth. Thus, if ASA cannot achieve this. Can we configure the switches to do it?

Thanks.

183
Views
0
Helpful
8
Replies