Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8868
Views
10
Helpful
10
Replies

Can I make an ASA 5525-x cluster

Richard Stuivenberg
Level 1
Level 1

‎11-24-2013 02:11 AM - edited ‎03-11-2019 08:08 PM

Hello,

I have to make a decision which forms ASA I will choose.

I want to make a Cluster with two ASA 5525-X Firewall in transparent mode

Not an active/standby or active active.

Is this possible with a 5525-x or should I opt for the ASA 5545-X?

Do I need a special license for clustering?

Best regards,

Richard

Labels:
0 Helpful
10 Replies 10

Karsten Iwen
VIP
VIP

‎11-24-2013 03:47 AM

First you have to define which clustering you are talking about as there are different functions that are all commonly named "clusters".

If you are tlaking about the new function where you combine up to eight firewalls to increase the throughput, then only 5580 and 5585-X are supported. How much throughput do you need? If it is below what a single 5585-X can deliver, then go for traditional failover. It's much easier to administer and more flexible. Cluster-Mode also needs a Cluster License.

Here is more info on ASA-Clusters:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_cluster.html

If you are talking about a VPN-Loadbalancing to increase the amount of remote users, then you can use any of the ASAs begining with the 5510 SecPlus and combine them until you have the needed amoount of VPN-users.

More on VPN-Loadbalancing:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_params.html#wp1079186

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Richard Stuivenberg
Level 1
Level 1
In response to Karsten Iwen

‎11-24-2013 07:08 AM

Hi Karsten.Iwen,

Thanks for you're reply, the throughput from a 5525-x is enough for me.

For now my configuration would look like this:

Two ISR 4451-x both are active with BGP on the outside WAN (both will be 500 Mb, same IP-VPN cloud from my ISP) and VRRP on the inside on difference VLANs.

Behind the ISR's I will connect the both ASA 5525-x with an EtherChannel for redandancy/Failover.

I have already a stacked switch C3750-x and both will be connected too the ASAs also with an EtherChannel.

Then I have two ports left at my ASAs for the FailOver link between both ASAs.

If i'm right, but i'm not sure.

Can I make both Active/Active and separate my VLANs/traffic so half goes thru ASA 1 and the second half goes thru ASA 2?

Best Regards,

Richard

0 Helpful

Karsten Iwen
VIP
VIP
In response to Richard Stuivenberg

‎11-24-2013 07:23 AM

You could achieve that with two 5525-X active/active, but with 1Gig on the outside you don't have any performance left if one ASA fails (the 5525-X is 1 Gig/s multiprotocol; I'm always a little bit more conservative with these numbers, so I never calculate with maximum throughput). If that is ok, or your 2*500MBit WAN is not that much utilized, then the 5525-X is a good choice. If you plan to upgrade your WAN in the mid-term, I would go directly for the 5545-X.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Richard Stuivenberg
Level 1
Level 1
In response to Karsten Iwen

‎11-24-2013 07:38 AM

My WAN is not that much utilized,  I'm upgrading my both 100MBit WAN's in a few months too 500 MBit.

Both are active but will also be backup of eachother when one WAN connections fails.

0 Helpful

Karsten Iwen
VIP
VIP
In response to Richard Stuivenberg

‎11-24-2013 07:46 AM

Then you should be really fine with the 5525-X. But still I would recommend to go for A/S as the routing is much easier to handle in a scenario like this. Remember that complexity is one of the enemie of security.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Richard Stuivenberg
Level 1
Level 1
In response to Karsten Iwen

‎11-24-2013 09:29 AM

Thanks... I keep that in mind

0 Helpful

subriyer
Cisco Employee
Cisco Employee

‎12-06-2013 08:57 AM

Richard, would you be interested in deploying the newly introduced ASA clustering functionality that was released in 9.0 release?

0 Helpful

Richard Stuivenberg
Level 1
Level 1
In response to subriyer

‎12-10-2013 10:54 PM

Hi Subriyer,

Yes, i'm interested in the new released 9.0 and the option for ASA Clustering.

But I think that it's not possible with an 5525-x, am i right?

0 Helpful

subriyer
Cisco Employee
Cisco Employee
In response to Richard Stuivenberg

‎12-10-2013 11:01 PM

Richard,

5525-x does support ASA clustering from 9.1.4 and higher.

http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp736630

ASA 5500-X support for clustering

The ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X now  support 2-unit clusters. Clustering for 2 units is enabled by default in  the base license; for the ASA 5512-X, you need the Security Plus  license.

We did not modify any commands.

Thanks

Iyer

Richard Stuivenberg
Level 1
Level 1
In response to subriyer

‎01-05-2014 10:35 AM

Thnxs!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card