cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
462
Views
5
Helpful
7
Replies

Do I require the VPN bundle?

Jordi Benet
Level 1
Level 1

Hi,

We are planning to buy 4 5585-X SSP 40. We would like to cluster them between 2 Data Centers.

 

We would like to have:

- ASA as Firewall

- add IPS module on the 5585-X SSP 40 empty slot

- Use the ASA to bring site-to-site IPSEC VPNs for our partners

- 20 Multiple Context Security Firewall

- ASA Cluster license

 

1- For the IPSEC VPNs, we do require the VPN bundle or it is included in the Firewall bundle?

 

2- Also we would like to know if this licenses will be enough:

- ASA5500-SC-20= --> For the 20 Multiple Context

- L-ASA5585-CL-S40= --> Cluster license

- Do I need a license for the site-to-site VPNs? or I need the VPN Bundle?

- Do I need any other license?

 

Thanks a lot.

 

Regards,

 

J

 

 

1 Accepted Solution

Accepted Solutions

You're welcome. Thanks for the rating.

The Configuration Guide section on clustering explains it thus:

"IPS module—There is no configuration sync or state sharing between IPS modules. Some IPS signatures require IPS to keep the state across multiple connections. For example, the port scanning signature is used when the IPS module detects that someone is opening many connections to one server but with different ports. In clustering, those connections will be balanced between multiple ASA devices, each of which has its own IPS module. Because these IPS modules do not share state information, the cluster may not be able to detect port scanning as a result."

So, yes you can use the  IPS module in each member but the effectiveness will be reduced a good bit. Given the additional cost you will pay for those, plus the fact that Cisco traditional IPS may well migrate to the superior SourceFire technology over the coming year or two (speculation on my part) I would not think that would be a good strategic move.

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

You should work with a partner who can advise you on the details of such a significant purchase but I'll briefly cover your questions:

1. No. IPsec site-site VPN does not require the VPN bundle. The VPN bundle adds AnyConnect Premium licenses which are used for advanced remote access VPN functionality, note site-site VPN. The latter is included with the base 5585-X (and all bundles)

2. That suffices for a clustered multi-context setup.

NOTE - The IPS is not a good match with clustering as IPS functionality is not a distributed (cluster-ready) feature. That is, IPS will always and only run on the cluster master, not on any cluster member ASA. You would be better off with an external IPS such as a Cisco SourceFire appliance. If you still decide to use IPS, your service contract associated with the order should include the IPS subscription support.

Hi Marvin,

thanks a lot for the reply, much appreciated.

I thought the IPS module and FIrewall module on the 5585-X SSP 40 would be independent.

I was thinking to put first the IPS module and after the ASA Cluster. So traffic from north to south will hit the IPS module first and then the ASA cluster FW and for south to north traffic the ASA cluster will make sure that traffic reaches the proper firewall (to accomplish state-full behavior) and then I am sure it will hit the correct IPS.

I can accomplish this setup, or the IPS hardware module will only be activated on the cluster master? even if I have an IPS hardware module on each 5585-X SSP 40?

 

Thank you very much for the help.

 

Regards,

 

J

 

 

You're welcome. Thanks for the rating.

The Configuration Guide section on clustering explains it thus:

"IPS module—There is no configuration sync or state sharing between IPS modules. Some IPS signatures require IPS to keep the state across multiple connections. For example, the port scanning signature is used when the IPS module detects that someone is opening many connections to one server but with different ports. In clustering, those connections will be balanced between multiple ASA devices, each of which has its own IPS module. Because these IPS modules do not share state information, the cluster may not be able to detect port scanning as a result."

So, yes you can use the  IPS module in each member but the effectiveness will be reduced a good bit. Given the additional cost you will pay for those, plus the fact that Cisco traditional IPS may well migrate to the superior SourceFire technology over the coming year or two (speculation on my part) I would not think that would be a good strategic move.

Hi Marvin,

thanks a lot for the reply.

I totally agree with your thinking, but we will stay with the Cisco IPS module as we will get additional 10Gbps ports that we need and also our security support team is very Cisco based.

I agree with you that a good strategic move will be to go with SourceFire, but we will stay with Cisco IPS module.

Thanks for the help provided as it has been very useful to understand the role of the IPS in the ASA cluster environment.

Regards,

J

You're welcome - thanks for the rating.

If you wait a while, you may see the SourceFire name be replaced with Cisco as the product lines blend together. :) (But then again they still keep the old IronPort name around.)

Seriously, Cisco has announced intention to integrate the SourceFire IDS technology into the CX module. But, like the IDS running on SSP, IDS on CX is also not (currently) a distributed function.

Jordi Benet
Level 1
Level 1

Hi,

from the previous scenario I would like to use 16 IPSEC site-to-site Tunnels. I wanted to create a Partner VRF with all the site-to-site tunnels going through and terminating at the ASA in one Context Firewall.

 

After reading the multiple context firewall features it says that a maximum of 5 IPSEC tunnels will be available in one context firewall and a total of 10 IPSEC tunnels for the entire Firewall using multiple context firewalls.

This means that the only solution to implement 16 IPSEC site-to-site tunnels on the ASA is disabling the multiple context feature or there is another way using multiple context to get 16 IPSEC TUnnels in the ASA?

 

Thanks a lot.


Regards,

 

J

I've not seen that VPN limitation - it does vary according to the platform but for the 5585 you were discussing, the limitation is 10,000 (Reference). 

You allocate the allowed number of VPNs via setting a "limit-resource" (by number or percentage) in a class which is created in the system context and there assigned to the various user context(s). (Reference)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: