Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA IDS Bundle clustering

Hello,

I have been tasked to implement for my company a security system based on firewall+IDS/IPS.

In order to limit the number of devices providing at the same time firewall system redundancy, I am considering to acquire two Cisco ASA 5540 (or 5520) IDS Bundle with AIP-SSM-20.

Considering that redundancy is required only for the Firewalling services (not for the IDS service), and considering also that one AIP-SSM-20 is enough to

control the traffic in my company network, my questions are:

- can I use only one AIP-SSM-20 updating it with only one Cisco Service contract for IDS while keeping the second AIP-SSM-20 as a "cold spare"?

- can I create a cluster using one Cisco ASA5540 with AIP-SSM-20 and another Cisco ASA5540 without AIP-SSM-20? (Basing on my understanding, in order to form a cluster Cisco ASAs have to be equipped with exactly the same modules quantity and type. Am I wrong?)

Your help is much appreciated

Thanks

Luca

  • Intrusion Prevention Systems/IDS
Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA IDS Bundle clustering

Hey,

> can I use only one AIP-SSM-20 updating it with only one Cisco Service  contract for IDS while keeping the second AIP-SSM-20 as a "cold spare"

I am not sure i quite get you over here. Well if you are using the 2 ASAs in failover, then we will need to have the same module in both the ASAs and in this case, only one ASA/IPS combo will be active at any point of time. When we failover from one ASA to the other, automatically the other ASA/IPS combination will become active. So, any point of time only one IPS is going to be active.

> can I create a cluster using one Cisco ASA5540 with AIP-SSM-20 and  another Cisco ASA5540 without AIP-SSM-20? (Basing on my understanding,  in order to form a cluster Cisco ASAs have to be equipped with exactly  the same modules quantity and type. Am I wrong?)

yes your understanding is correct. We need to have the same hardware on both the ASAs. The config on the IPS does not really have to be the same, that is, the failover does not take into considertaion the config of the IPS modules neither does it sync config from one IPS module to the other. All this will have to be done manually.

Hope i have answered your queries. Let me know if there is something ambiguous or unanswered.

Regards,

Prapanch

2 REPLIES
Cisco Employee

Re: ASA IDS Bundle clustering

Hey,

> can I use only one AIP-SSM-20 updating it with only one Cisco Service  contract for IDS while keeping the second AIP-SSM-20 as a "cold spare"

I am not sure i quite get you over here. Well if you are using the 2 ASAs in failover, then we will need to have the same module in both the ASAs and in this case, only one ASA/IPS combo will be active at any point of time. When we failover from one ASA to the other, automatically the other ASA/IPS combination will become active. So, any point of time only one IPS is going to be active.

> can I create a cluster using one Cisco ASA5540 with AIP-SSM-20 and  another Cisco ASA5540 without AIP-SSM-20? (Basing on my understanding,  in order to form a cluster Cisco ASAs have to be equipped with exactly  the same modules quantity and type. Am I wrong?)

yes your understanding is correct. We need to have the same hardware on both the ASAs. The config on the IPS does not really have to be the same, that is, the failover does not take into considertaion the config of the IPS modules neither does it sync config from one IPS module to the other. All this will have to be done manually.

Hope i have answered your queries. Let me know if there is something ambiguous or unanswered.

Regards,

Prapanch

New Member

Re: ASA IDS Bundle clustering

Prapanch thank you very much for the clarification.

Regards

Luca

813
Views
0
Helpful
2
Replies
This widget could not be displayed.