03-21-2014 04:01 AM - edited 03-11-2019 08:58 PM
Hi,
I wanted to implent a cluster of 4 ASA 5585-X between DCs. Before the firewall I would like to use the IPS module.
My three quesitons are:
- Can I use the IPS software appliance if the firewalls are clustered and avoid the IPS hardware module?
- In case I have to use the IPS hardware, how the IPS in slot 1 will communicate to the slot 0 ASA Firewall? I will need to do a hardware connection between them like with different VDCs on N7k?
- I will have to put physical links from our core switch to the IPS and then the traffic will go to the firewall and go back to the switch, or I will only put physical connections on the slot 0 ASA Firewall?
There is any documentation for this?
Thanks a lot.
Regards,
J
03-21-2014 08:09 AM
The IPS module in an ASA 5585 would needs to be in each of the units if you want to use a service-policy redirection to the IPS module. That applies whether you are using the "old school" IPS on an SSP or the NGFW (CX) IPS type.
The communications between a given firewall and its IPS module is via the backplane and is completely internal to the ASA - so no external physical connection is required.
The IPS in clustering scenario is mentioned only briefly in the configuration guide here.
03-21-2014 08:22 AM
Hi Marvin,
thanks a lot for the reply.
So if the communication is via the backplane I get extra ports.
My question is, there is any document explaining the FW cluster implementation with the External subnets and the internal subnets going through a different physical link?
All the diagrams they use the same physical interface for the external traffic and internal traffic. It is because it is not possible to have different physical links for the cluster?
Thank you very much.
Regards,
J
03-21-2014 10:34 AM
You're welcome Jordi.
I'm not sure if I follow your question about external and internal subnets. We would normally (almost always) see these on different sets of physical interfaces.
For example, have a look at the Cisco Live presentation on ASA clustering - BRKSEC-3032 from Milan. In the presentation, slides 21 and 23 illustrate the two modes (spanned Etherchannel and individual interface). In both examples, the inside and outside use distinct physical interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide