we plan to implement two ASA 5510 as passive and active failover with AIP-SSM IPS. is it possible to configure two AIP-SSM as failover as well? How can I implement two AIP-SSM in two ASA with failover capability? if it's not possible, what's the best approach to have IPS in the case of primary ASA failed. There is no budget to purchase IPS 44xx appliance though.
You can deploy an AIP-SSM within each of the 2 ASAs.
The AIP-SSMs do support running inside ASAs configured for failover, but the AIP-SSMs do not support any failover communication between the 2 AIP-SSMs.
The 2 AIP-SSMs will be unaware that another AIP-SSM exists.
The AIP-SSM just monitors whatever it's parent ASA sends to it.
So the SSM in the active ASA will be monitoring because that ASA is seeing the traffic and sending it to its SSM.
The SSM in the standby ASA will just be waiting for traffic without doing any monitoring because the ASA is in standby mode.
If there is a failover event between the ASAs, then the standby ASA will start seeing the traffic and send it to its own SSM. The standby SSM will have just been waiting for traffic so it will immediately begin monitoring as soon as its ASA starts sending traffic to it.
So there is no special configuration within the AIP-SSM configuration.
So the AIP-SSMs are fully supported for placing them inside ASAs configured for failover. But all of the failover is configured and managed by the ASAs themselves.
The 2 SSMs are configured and treated as if they were just any 2 sensors. If you want them to have the same configuration then you will need to configure them the same. They will not communicate with each other, and will not automatically share configuration.
i echo this, one thought to keep in mind is your ASA failover setup which will dictate the above settings. Meaning, if you setup the ASA's in a pure failover/standby configuration then what marcabal has said is 100% accurate. If you setup your ASA's in a Active/Active mode, then both IPS modules will recieve traffic based on your network topology. You also will have to consider if you will be running your firewalls in a context mode as well as that will determine if both modules will recieve traffic.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...