Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3963
Views
0
Helpful
3
Replies

ASA5585 best practices out of band management

Go to solution
rogelioalvez
Level 1
Level 1

‎07-28-2012 04:42 PM - edited ‎03-11-2019 04:35 PM

Hello team.

I was requested to configure OOB network management to a cluster of fully populated 5585´s (SSP20 on slot0, IPS SSP20 on slot1). So I have a few questions for which I would appreciate advice:

   

     1. Since each slot has two management ports (Mgmt0/0 and Mgmt0/1, Mgmt1/0 and Mgmt1/1)... ¿does it make sense to use both UTP ports on each slot? ¿ Would it be enough if I just connect Mgmt0/0 for FW management and Mgmt1/0 for IPS management?

     2. ¿Can I assign Mgmt0/0 (FW) and Mgmt1/0 (IPS) to a common IP subnet? ¿is it adviced to have them on different subnets?

     3. Assuming a clustered solution: ¿do these Mgmt interfaces follow the same concepts of the other data interfaces? For example: ¿Must/should I connect Mgmt0/0 of both firewalls in a common VLAN/subnet and assign primary/standby IPs in this subnet? ¿The same concept for the IPS Mgmt interfaces?

Your hints will be greatly appreciated.

Best regards

Rogelio Alvez

Argentina

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-28-2012 08:13 PM

Yes, it's alrite to connect the Management 0/0 (SSP in slot 0) for FW management and Management 1/0 (IPS SSP in slot 1) for IPS management. I know you’re worried about redundancy, but this is fine really. However, if you’d like, you could combined both the Management 0/0 and Management 0/1 to be one single interface. You could configure Cisco ASA REDUNDANT interface.

Yes, you can assign an IP Address to Management 0/0 interface (FW) and Management 1/0 interface (IPS) in a common subnet/VLAN. You can then describe this VLAN, as the Management VLAN. Even If you were to opt for the Cisco ASA REDUNDANT interface method, the concept remains the same.

Yes, you'll need to assign ACTIVE/STANDBY IP Addresses for the FW Mgmt0/0, just like how you're doing it for the other data interfaces e.g. "ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2". However, for the IPS Module, you'll just need to assign a single IP Address.

P/S: if you think this comment is helpful, please do rate it nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-28-2012 08:13 PM

Yes, it's alrite to connect the Management 0/0 (SSP in slot 0) for FW management and Management 1/0 (IPS SSP in slot 1) for IPS management. I know you’re worried about redundancy, but this is fine really. However, if you’d like, you could combined both the Management 0/0 and Management 0/1 to be one single interface. You could configure Cisco ASA REDUNDANT interface.

Yes, you can assign an IP Address to Management 0/0 interface (FW) and Management 1/0 interface (IPS) in a common subnet/VLAN. You can then describe this VLAN, as the Management VLAN. Even If you were to opt for the Cisco ASA REDUNDANT interface method, the concept remains the same.

Yes, you'll need to assign ACTIVE/STANDBY IP Addresses for the FW Mgmt0/0, just like how you're doing it for the other data interfaces e.g. "ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2". However, for the IPS Module, you'll just need to assign a single IP Address.

P/S: if you think this comment is helpful, please do rate it nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

Go to solution
rogelioalvez
Level 1
Level 1
In response to Ramraj Sivagnanam Sivajanam

‎07-29-2012 06:15 AM

Hello Ramraj.

Thank you very much for your kind answer...

I just have one more doubt in this matter: ¿Is it also possible to make the Mgmt1/0 pair (IPS ports on both firewalls) work with the active/standby logic? I would like to make this cluster look the same for all the interfaces, including the management ones.

Thanks in advance again, Rogelio

0 Helpful

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4
In response to rogelioalvez

‎07-29-2012 07:47 PM

Hi Bro

Cisco IPS modules or Cisco IDSM modules cannot work in a ACTIVE/STANDBY mode, assuming you've 2 units, one on each Cisco ASA FW. Yes, the Cisco ASA FW can run in either ACTIVE/STANDBY or ACTIVE/ACTIVE but the IPS always works alone :-)

Both these IPS modules work separately. This means if you were to change a settings in one of the IPS module, you'll need to do the same for the other unit. It doesn't replicate.

Alternatively, you might wanna look into Cisco IME (Freeware). This tool comes with GUI to help you configure, tune, and manage Cisco IPS sensors, Cisco Advanced Inspection and Prevention Security Services Modules, Cisco Catalyst 6500 Series Intrusion Detection System Modules, Cisco IDS Network Modules, and Cisco IOS IPS modules (up to 10 devices only).

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card