Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1220
Views
0
Helpful
1
Replies

Cisco ASA-5585x [SSP 40 vs. IPS SSP 40]

Sohrab Kasraeian Fard
Level 1
Level 1

‎12-20-2015 11:42 PM - edited ‎03-12-2019 12:03 AM

Dear All,

We've bought "ASA5585-S40-K9" and "ASA-SSP-40-K8=" which we end up with one ASA 5585-X chassis and with two SSP-40 card installed in both slots and now customer security team request has been changed and they are asking for IPS functionality on at least one of cards installed in the chassis (based on what I find out so far only top slot can do the IPS work).

I've search multiple times and find some information like this (3rd question).

Now my questions are:

  • Is it possible to purchase a license or do something and change "SSP 40" in top slot into "IPS SSP 40" or the hardware should be change for that functionality?
  • Is it possible to have both K8 and K9 cards on the same chassis? from performance, redundancy and functionality perspective.

Thanks in advance for your kind help and support

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-21-2015 06:21 AM

It seems your product was mis-ordered for what you want. When you buy the ASA-SSP-40-K8 for the top slot, it is like a completely separate ASA that shares a chassis with the pre-installed bottom slot ASA. They use common space and power in the chassis but otherwise have no data plane connectivity between them.

IPS functionality in a 5585-X is provided by a FirePOWER module in the top slot - part number like  "ASA-SSP-SFR40-K9=".(The old IPS modules are end of sales since earlier this year.)

You would also need a FireSIGHT / FirePOWER Management Center running externally (VM or appliance) to configure and monitor the FirePOWER module. (You can technically do it with ASDM using ASA 9.5(1) and FirePOWER 6.0 but that would not generally be recommended for a 5585-X.)

The K8 and K9 designation only indicates whether the product was shipped with basic encryption (DES) or stronger encryption (3DES-AES) license preinstalled. As long as you are not subject to strong encryption export restrictions from the USA (i.e. North Korea, Sudan, Cuba etc.) you can just add the free 3DES-AES license to any units ordered with K8.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card