Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Do I require the VPN bundle?

Hi,

We are planning to buy 4 5585-X SSP 40. We would like to cluster them between 2 Data Centers.

 

We would like to have:

- ASA as Firewall

- add IPS module on the 5585-X SSP 40 empty slot

- Use the ASA to bring site-to-site IPSEC VPNs for our partners

- 20 Multiple Context Security Firewall

- ASA Cluster license

 

1- For the IPSEC VPNs, we do require the VPN bundle or it is included in the Firewall bundle?

 

2- Also we would like to know if this licenses will be enough:

- ASA5500-SC-20= --> For the 20 Multiple Context

- L-ASA5585-CL-S40= --> Cluster license

- Do I need a license for the site-to-site VPNs? or I need the VPN Bundle?

- Do I need any other license?

 

Thanks a lot.

 

Regards,

 

J

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

You're welcome. Thanks for

You're welcome. Thanks for the rating.

The Configuration Guide section on clustering explains it thus:

"IPS module—There is no configuration sync or state sharing between IPS modules. Some IPS signatures require IPS to keep the state across multiple connections. For example, the port scanning signature is used when the IPS module detects that someone is opening many connections to one server but with different ports. In clustering, those connections will be balanced between multiple ASA devices, each of which has its own IPS module. Because these IPS modules do not share state information, the cluster may not be able to detect port scanning as a result."

So, yes you can use the  IPS module in each member but the effectiveness will be reduced a good bit. Given the additional cost you will pay for those, plus the fact that Cisco traditional IPS may well migrate to the superior SourceFire technology over the coming year or two (speculation on my part) I would not think that would be a good strategic move.

7 REPLIES
Hall of Fame Super Silver

You should work with a

You should work with a partner who can advise you on the details of such a significant purchase but I'll briefly cover your questions:

1. No. IPsec site-site VPN does not require the VPN bundle. The VPN bundle adds AnyConnect Premium licenses which are used for advanced remote access VPN functionality, note site-site VPN. The latter is included with the base 5585-X (and all bundles)

2. That suffices for a clustered multi-context setup.

NOTE - The IPS is not a good match with clustering as IPS functionality is not a distributed (cluster-ready) feature. That is, IPS will always and only run on the cluster master, not on any cluster member ASA. You would be better off with an external IPS such as a Cisco SourceFire appliance. If you still decide to use IPS, your service contract associated with the order should include the IPS subscription support.

New Member

Hi Marvin,thanks a lot for

Hi Marvin,

thanks a lot for the reply, much appreciated.

I thought the IPS module and FIrewall module on the 5585-X SSP 40 would be independent.

I was thinking to put first the IPS module and after the ASA Cluster. So traffic from north to south will hit the IPS module first and then the ASA cluster FW and for south to north traffic the ASA cluster will make sure that traffic reaches the proper firewall (to accomplish state-full behavior) and then I am sure it will hit the correct IPS.

I can accomplish this setup, or the IPS hardware module will only be activated on the cluster master? even if I have an IPS hardware module on each 5585-X SSP 40?

 

Thank you very much for the help.

 

Regards,

 

J

 

 

Hall of Fame Super Silver

You're welcome. Thanks for

You're welcome. Thanks for the rating.

The Configuration Guide section on clustering explains it thus:

"IPS module—There is no configuration sync or state sharing between IPS modules. Some IPS signatures require IPS to keep the state across multiple connections. For example, the port scanning signature is used when the IPS module detects that someone is opening many connections to one server but with different ports. In clustering, those connections will be balanced between multiple ASA devices, each of which has its own IPS module. Because these IPS modules do not share state information, the cluster may not be able to detect port scanning as a result."

So, yes you can use the  IPS module in each member but the effectiveness will be reduced a good bit. Given the additional cost you will pay for those, plus the fact that Cisco traditional IPS may well migrate to the superior SourceFire technology over the coming year or two (speculation on my part) I would not think that would be a good strategic move.

New Member

Hi Marvin,thanks a lot for

Hi Marvin,

thanks a lot for the reply.

I totally agree with your thinking, but we will stay with the Cisco IPS module as we will get additional 10Gbps ports that we need and also our security support team is very Cisco based.

I agree with you that a good strategic move will be to go with SourceFire, but we will stay with Cisco IPS module.

Thanks for the help provided as it has been very useful to understand the role of the IPS in the ASA cluster environment.

Regards,

J

Hall of Fame Super Silver

You're welcome - thanks for

You're welcome - thanks for the rating.

If you wait a while, you may see the SourceFire name be replaced with Cisco as the product lines blend together. :) (But then again they still keep the old IronPort name around.)

Seriously, Cisco has announced intention to integrate the SourceFire IDS technology into the CX module. But, like the IDS running on SSP, IDS on CX is also not (currently) a distributed function.

New Member

Hi,from my scenario I would

Hi,

from the previous scenario I would like to use 16 IPSEC site-to-site Tunnels. I wanted to create a Partner VRF with all the site-to-site tunnels going through and terminating at the ASA in one Context Firewall.

 

After reading the multiple context firewall features it says that a maximum of 5 IPSEC tunnels will be available in one context firewall and a total of 10 IPSEC tunnels for the entire Firewall using multiple context firewalls.

This means that the only solution to implement 16 IPSEC site-to-site tunnels on the ASA is disabling the multiple context feature or there is another way using multiple context to get 16 IPSEC TUnnels in the ASA?

 

Thanks a lot.


Regards,

 

J

Hall of Fame Super Silver

I've not seen that VPN

I've not seen that VPN limitation - it does vary according to the platform but for the 5585 you were discussing, the limitation is 10,000 (Reference). 

You allocate the allowed number of VPNs via setting a "limit-resource" (by number or percentage) in a class which is created in the system context and there assigned to the various user context(s). (Reference)

80
Views
5
Helpful
7
Replies
CreatePlease login to create content