Cisco ASA 5550 1

[mamir01]

Hi Members,

I have a few questions which I would like some advice if possible. I've heard good things about this forum so I'm hoping I'll get all the information I need from here.

Here goes:

We're about to deploy an IPSec solution with RSA SecurID using two Cisco ASA 5550 deployed in different locations acting as an Active /Passive firewalls.

question:

1) Can I have VPN clustering enabled even if the two firewalls are in different locations

2) Would Active/Passive work with VPN clustering or are these two different aspects

3) What is the best way forward to provide resilience to the firewall and the VPN IPSec user

I appreciate all the help I can get. Many thanks.

Regards,

Amir

 

[stubnski]

1. How far apart(distance) are the two ASA's?
Here is a forum answer from Cisco on distance for Active/passive failovers

2. In an Active/Passive setup only one asa is active at any one time so no VPN clustering. If the asa's are setup for Stateful failover then your users most likely will not notice if the active asa failed and the tunnel was switched to the "Passive now Active" asa

3. I've only worked in an Active/Passive setup and do upgrades to software at least once a year(depending on security notices from Cisco) without any user complaints when I failover the asa's.


Here is a quick tutorial about VPN clustering from Cisco's site.


I hope this helps.


Stubnski

 

[mamir01]

Thanks for your reply.

The ASA's will be in different physical locations so it will be setup as LAN based failover.

Now you say that VPN clustering is not possible on active/passive and I know this is also not possible on active/active failover, so if each firewall is at a different location how can a cluster be formed? Cheers

Regards,

Amir