Solved: Cisco ASA

Docklands · ‎02-28-2017

We need an active/stanby firewall configuration for very low data throughput - 100Mb.

Which of the low data throughput ASA's are capable of operating in a active/standby cluster?

Thanks

Julio E. Moisa · ‎02-28-2017

Hi

The 5506x can be mounted on a rack but an additional accessory is required:

http://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5506xguide/b_Install_Guide_5506/b_Install_Guide_5506_chapter_011.html

Yes, 5508 can be configured as a cluster, It also allows active/active, it cannot be done on Cisco 5506X, it allows active/standby only.

https://apps.cisco.com/ccw/cpc/guest/content/ucsProductDetails/prod_ASA5508-K9

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎04-07-2017

Hi

Apologies, the HP switches will be configured with VRRP, you should connect one uplink from the primary switch to primary firewall and from secondary switch to the secondary firewall, create the VRRP and the virtual IP, so the firewall will be configured with 1(2 if you desire) ip address, in active standby this ip will be mirrored into the standby firewall so from the switches the next hop will be the same and from the firewall the next hop will be the virtual IP address.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎02-28-2017

Hi

I think you could use Cisco ASA 5506X with security plus license.

https://apps.cisco.com/ccw/cpc/guest/content/ucsProductDetails/prod_ASA5506-K9

http://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Docklands · ‎02-28-2017

Hi Julio

Thank you for your reply.

The device would need to be rack mounted so the 5508 would be prefereable. Is the 5508 also capable of providing a cluster?

Thanks

Mike

Julio E. Moisa · ‎02-28-2017

Hi

The 5506x can be mounted on a rack but an additional accessory is required:

http://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5506xguide/b_Install_Guide_5506/b_Install_Guide_5506_chapter_011.html

Yes, 5508 can be configured as a cluster, It also allows active/active, it cannot be done on Cisco 5506X, it allows active/standby only.

https://apps.cisco.com/ccw/cpc/guest/content/ucsProductDetails/prod_ASA5508-K9

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Docklands · ‎02-28-2017

Thank you Julio,

Mike

Julio E. Moisa · ‎02-28-2017

It was a pleasure, thank you and have a great day!

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Docklands · ‎04-06-2017

Hi Julio,

We have nearly decided to buy the 5508 but wanted to check how to connect the inside interfaces.

As you can see from the diagram I've attached, we are using two HP layer 3 switches at the distribution layer to provide VRRP to the access layer switches.

So our question is, how to connect the HP switches to the 5508 active/standby devices. The ADSM guide shows two switches being used but connect using ISL, which is a Cisco protocol.

Any thoughts on how?

thanks

Mike

Docklands · ‎04-07-2017

its ok we have found a solution

Julio E. Moisa · ‎04-07-2017

Hi

Apologies, the HP switches will be configured with VRRP, you should connect one uplink from the primary switch to primary firewall and from secondary switch to the secondary firewall, create the VRRP and the virtual IP, so the firewall will be configured with 1(2 if you desire) ip address, in active standby this ip will be mirrored into the standby firewall so from the switches the next hop will be the same and from the firewall the next hop will be the virtual IP address.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Karsten Iwen · ‎02-28-2017

There is another reason to go for the 5508-X instead of the 5506-X. The 5506-X only does stateless failover which means that all connections are dropped when there is a failover event. The 5508-X (and higher models) support statefull failover.

Docklands · ‎02-28-2017

Ah, that might be worth considering. Do you also know if the 5508-X has switchports? I understand the 5506-X has layer 3 ports

Karsten Iwen · ‎02-28-2017

Switchports were introduces in the newest release 9.7(1). For me, that's to "fresh" for production ... ;-)

Julio E. Moisa · ‎02-28-2017

Hi

This link can be a complement:

http://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5508xguide/b_install_guide_5508/b_install_guide_5508_chapter_0100.html#concept_399FDE39941148C2B4B6515DC819F9B3

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<