09-16-2010 05:44 AM - edited 03-10-2019 05:07 AM
Hello,
I have been tasked to implement for my company a security system based on firewall+IDS/IPS.
In order to limit the number of devices providing at the same time firewall system redundancy, I am considering to acquire two Cisco ASA 5540 (or 5520) IDS Bundle with AIP-SSM-20.
Considering that redundancy is required only for the Firewalling services (not for the IDS service), and considering also that one AIP-SSM-20 is enough to
control the traffic in my company network, my questions are:
- can I use only one AIP-SSM-20 updating it with only one Cisco Service contract for IDS while keeping the second AIP-SSM-20 as a "cold spare"?
- can I create a cluster using one Cisco ASA5540 with AIP-SSM-20 and another Cisco ASA5540 without AIP-SSM-20? (Basing on my understanding, in order to form a cluster Cisco ASAs have to be equipped with exactly the same modules quantity and type. Am I wrong?)
Your help is much appreciated
Thanks
Luca
Solved! Go to Solution.
09-16-2010 07:42 AM
Hey,
> can I use only one AIP-SSM-20 updating it with only one Cisco Service contract for IDS while keeping the second AIP-SSM-20 as a "cold spare"
I am not sure i quite get you over here. Well if you are using the 2 ASAs in failover, then we will need to have the same module in both the ASAs and in this case, only one ASA/IPS combo will be active at any point of time. When we failover from one ASA to the other, automatically the other ASA/IPS combination will become active. So, any point of time only one IPS is going to be active.
> can I create a cluster using one Cisco ASA5540 with AIP-SSM-20 and another Cisco ASA5540 without AIP-SSM-20? (Basing on my understanding, in order to form a cluster Cisco ASAs have to be equipped with exactly the same modules quantity and type. Am I wrong?)
yes your understanding is correct. We need to have the same hardware on both the ASAs. The config on the IPS does not really have to be the same, that is, the failover does not take into considertaion the config of the IPS modules neither does it sync config from one IPS module to the other. All this will have to be done manually.
Hope i have answered your queries. Let me know if there is something ambiguous or unanswered.
Regards,
Prapanch
09-16-2010 07:42 AM
Hey,
> can I use only one AIP-SSM-20 updating it with only one Cisco Service contract for IDS while keeping the second AIP-SSM-20 as a "cold spare"
I am not sure i quite get you over here. Well if you are using the 2 ASAs in failover, then we will need to have the same module in both the ASAs and in this case, only one ASA/IPS combo will be active at any point of time. When we failover from one ASA to the other, automatically the other ASA/IPS combination will become active. So, any point of time only one IPS is going to be active.
> can I create a cluster using one Cisco ASA5540 with AIP-SSM-20 and another Cisco ASA5540 without AIP-SSM-20? (Basing on my understanding, in order to form a cluster Cisco ASAs have to be equipped with exactly the same modules quantity and type. Am I wrong?)
yes your understanding is correct. We need to have the same hardware on both the ASAs. The config on the IPS does not really have to be the same, that is, the failover does not take into considertaion the config of the IPS modules neither does it sync config from one IPS module to the other. All this will have to be done manually.
Hope i have answered your queries. Let me know if there is something ambiguous or unanswered.
Regards,
Prapanch
09-16-2010 07:46 AM
Prapanch thank you very much for the clarification.
Regards
Luca
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: