cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8869
Views
10
Helpful
10
Replies

Can I make an ASA 5525-x cluster

Hello,

I have to make a decision which forms ASA I will choose.

I want to make a Cluster with two ASA 5525-X Firewall in transparent mode

Not an active/standby or active active.

Is this possible with a 5525-x or should I opt for the ASA 5545-X?

Do I need a special license for clustering?

Best regards,

Richard

10 Replies 10

First you have to define which clustering you are talking about as there are different functions that are all commonly named "clusters".

If you are tlaking about the new function where you combine up to eight firewalls to increase the throughput, then only 5580 and 5585-X are supported. How much throughput do you need? If it is below what a single 5585-X can deliver, then go for traditional failover. It's much easier to administer and more flexible. Cluster-Mode also needs a Cluster License.

Here is more info on ASA-Clusters:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_cluster.html

If you are talking about a VPN-Loadbalancing to increase the amount of remote users, then you can use any of the ASAs begining with the 5510 SecPlus and combine them until you have the needed amoount of VPN-users.

More on VPN-Loadbalancing:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_params.html#wp1079186

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten.Iwen,

Thanks for you're reply, the throughput from a 5525-x is enough for me.

For now my configuration would look like this:

Two ISR 4451-x both are active with BGP on the outside WAN (both will be 500 Mb, same IP-VPN cloud from my ISP) and VRRP on the inside on difference VLANs.

Behind the ISR's I will connect the both ASA 5525-x with an EtherChannel for redandancy/Failover.

I have already a stacked switch C3750-x and both will be connected too the ASAs also with an EtherChannel.

Then I have two ports left at my ASAs for the FailOver link between both ASAs.

If i'm right, but i'm not sure.

Can I make both Active/Active and separate my VLANs/traffic so half goes thru ASA 1 and the second half goes thru ASA 2?

Best Regards,

Richard

You could achieve that with two 5525-X active/active, but with 1Gig on the outside you don't have any performance left if one ASA fails (the 5525-X is 1 Gig/s multiprotocol; I'm always a little bit more conservative with these numbers, so I never calculate with maximum throughput). If that is ok, or your 2*500MBit WAN is not that much utilized, then the 5525-X is a good choice. If you plan to upgrade your WAN in the mid-term, I would go directly for the 5545-X.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

My WAN is not that much utilized,  I'm upgrading my both 100MBit WAN's in a few months too 500 MBit.

Both are active but will also be backup of eachother when one WAN connections fails.

Then you should be really fine with the 5525-X. But still I would recommend to go for A/S as the routing is much easier to handle in a scenario like this. Remember that complexity is one of the enemie of security.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks... I keep that in mind

subriyer
Cisco Employee
Cisco Employee

Richard, would you be interested in deploying the newly introduced ASA clustering functionality that was released in 9.0 release?

Hi Subriyer,

Yes, i'm interested in the new released 9.0 and the option for ASA Clustering.

But I think that it's not possible with an 5525-x, am i right?

Richard,

5525-x does support ASA clustering from 9.1.4 and higher.

http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp736630

ASA 5500-X support for clustering

The ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X now  support 2-unit clusters. Clustering for 2 units is enabled by default in  the base license; for the ASA 5512-X, you need the Security Plus  license.

We did not modify any commands.

Thanks

Iyer

Thnxs!!

Review Cisco Networking for a $25 gift card