cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


172
Views
5
Helpful
3
Replies

ASA clustering 5585-S20

Hello Team,

I wan to know what things keep in mind during design phase of ASA clustering , Here are the requirements and some confusions i have

1) we cant use IPS module 10g ports for CCL ?

2) Can we mix mode like i want to have multi context one context is in routed mode and one context is in transparent mode ?

3) which things keep in mind during transparent and routed mode in multi context env during initialization i cant find much documentation on Cisco regarding this

4) If we are in multi context mode , cluster is up and running can we introduce new context(routed or transparent) without any problem in up and running cluster(i guess not but i want to hear some expert advice on this)

3 REPLIES 3
Highlighted
Cisco Employee

Hello Nishad-

Hello Nishad-

A couple of questions for you:

1. What IPS blade are you planning on using? FirePOWER, legacy IPS, CX?

2. Have you purchased those 5585-X devices? If not, I would highly recommend against it as those devices are pretty expensive and they will never run the FTD (FirePOWER Threat Defense) code. 

To answer your questions:

1. Yes, you can use ports from both the ASA and the IPS blade. However, keep in mind that if you want to use the 10Gb ports you will need the security plus license.

2. All of the cluster members must be in the same security context

3. Please elaborate more on what your question is here

4. Please check the link below:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/ha-cluster.html#ID-2170-0000038b

I hope this helps!

Thank you for rating helpful posts!

Highlighted

Thanks for your quick

Thanks for your quick response 

Yes we already got device , as you mentioned we have required licenses and we are going use source fire as ups solution.

coming back to my question no 2)

What we like to set up is in multi context mode for example we gave default context admin and created 2 additional context A and B respectively. Now I would like to have context A in routed mode and context B in transparent mode as per cisco guides I can see it's possible but I couldn't able to find much references on it . What things we should keep in mind ?

Highlighted
Cisco Employee

I have personally not done

I have personally not done such configuration/deployment but according to the documentation from the link I provided above it is an acceptable configuration. There is one caveat that is listed on the document:

In multiple context mode, you must choose one interface type for all contexts. For example, if you have a mix of transparent and routed mode contexts, you must use Spanned EtherChannel mode for all contexts because that is the only interface type allowed for transparent mode.

With that said, keep in mind all three technologies that you are trying to deploy (Clustering, Multi-context, and transparent Firewall) come with their own sets of caveats and limitations. Thus, make sure you go through all of those as well :)

I hope this helps!

Thank you for rating helpful posts!

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here