cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1258
Views
0
Helpful
2
Replies

ASA IDS Bundle clustering

luca.caponi
Level 1
Level 1

Hello,

I have been tasked to implement for my company a security system based on firewall+IDS/IPS.

In order to limit the number of devices providing at the same time firewall system redundancy, I am considering to acquire two Cisco ASA 5540 (or 5520) IDS Bundle with AIP-SSM-20.

Considering that redundancy is required only for the Firewalling services (not for the IDS service), and considering also that one AIP-SSM-20 is enough to

control the traffic in my company network, my questions are:

- can I use only one AIP-SSM-20 updating it with only one Cisco Service contract for IDS while keeping the second AIP-SSM-20 as a "cold spare"?

- can I create a cluster using one Cisco ASA5540 with AIP-SSM-20 and another Cisco ASA5540 without AIP-SSM-20? (Basing on my understanding, in order to form a cluster Cisco ASAs have to be equipped with exactly the same modules quantity and type. Am I wrong?)

Your help is much appreciated

Thanks

Luca

1 Accepted Solution

Accepted Solutions

praprama
Cisco Employee
Cisco Employee

Hey,

> can I use only one AIP-SSM-20 updating it with only one Cisco Service  contract for IDS while keeping the second AIP-SSM-20 as a "cold spare"

I am not sure i quite get you over here. Well if you are using the 2 ASAs in failover, then we will need to have the same module in both the ASAs and in this case, only one ASA/IPS combo will be active at any point of time. When we failover from one ASA to the other, automatically the other ASA/IPS combination will become active. So, any point of time only one IPS is going to be active.

> can I create a cluster using one Cisco ASA5540 with AIP-SSM-20 and  another Cisco ASA5540 without AIP-SSM-20? (Basing on my understanding,  in order to form a cluster Cisco ASAs have to be equipped with exactly  the same modules quantity and type. Am I wrong?)

yes your understanding is correct. We need to have the same hardware on both the ASAs. The config on the IPS does not really have to be the same, that is, the failover does not take into considertaion the config of the IPS modules neither does it sync config from one IPS module to the other. All this will have to be done manually.

Hope i have answered your queries. Let me know if there is something ambiguous or unanswered.

Regards,

Prapanch

View solution in original post

2 Replies 2

praprama
Cisco Employee
Cisco Employee

Hey,

> can I use only one AIP-SSM-20 updating it with only one Cisco Service  contract for IDS while keeping the second AIP-SSM-20 as a "cold spare"

I am not sure i quite get you over here. Well if you are using the 2 ASAs in failover, then we will need to have the same module in both the ASAs and in this case, only one ASA/IPS combo will be active at any point of time. When we failover from one ASA to the other, automatically the other ASA/IPS combination will become active. So, any point of time only one IPS is going to be active.

> can I create a cluster using one Cisco ASA5540 with AIP-SSM-20 and  another Cisco ASA5540 without AIP-SSM-20? (Basing on my understanding,  in order to form a cluster Cisco ASAs have to be equipped with exactly  the same modules quantity and type. Am I wrong?)

yes your understanding is correct. We need to have the same hardware on both the ASAs. The config on the IPS does not really have to be the same, that is, the failover does not take into considertaion the config of the IPS modules neither does it sync config from one IPS module to the other. All this will have to be done manually.

Hope i have answered your queries. Let me know if there is something ambiguous or unanswered.

Regards,

Prapanch

Prapanch thank you very much for the clarification.

Regards

Luca

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: