Yes, I have the SSM-10 module installed and configured on both units running
in inline mode. You can run it both ways – promiscuous or inline. I have
the configuration set to “fail open” when the IPS unit has a problem, etc.
However, when I applied a patch that required the IPS unit to reboot the
‘primary’ unit in the active/standby setup initiated the failover which I
thought was not supposed to occur. Interesting that it did and I am
awaiting news from Cisco TAC on that feature… ;)
Also regarding the VPN configuration. With the Cisco VPN 3000 series
systems, when you have configured remote user authentication using say NT
domain authentication you have a button to test a username and password pair
to verify your configuration. On the surface and via the GUI on ADSM you
are not offered this capability. However, I asked TAC and they said that
you can test it using the following command:
"test aaa-server authentication <server group name> username <username>
password <password>".
HYPERLINK
"http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_t
x"http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_
txt/tz.htm#wp1228209
Richard
_____
From: Jonathan Gauntt [mailto:jon0966@yahoo.com]
Sent: Tuesday, October 11, 2005 1:55 PM
To: 'Infoget'
Subject: RE: Cisco PIX vs Cisco ASA
Wow – I would miss PPTP – thanks. Are you using the inline IPS?
Jonathan
_____
From: Infoget [mailto:infoget@cnrconsulting.bz]
Sent: Tuesday, October 11, 2005 3:22 PM
To: 'Jonathan Gauntt'
Subject: RE: Cisco PIX vs Cisco ASA
Hello Jonathan,
I just installed two ASA5510’s for a client in active/standby failover mode.
They are using the IPS/FW and VPN services. What specifically do you wish
to know regarding them?
Initial thoughts –
1.) Set-up is fairly easy. The new ASDM is good and offers a better
look and feel then PDM.
2.) Failover setup is different then the pix 6.3 and slightly different
than pix 7.0 even though the docs say they are the same – however it works
well when configured correctly.
3.) Runs the same code as pix with 7.0 which enhances the packet
inspection and QoS capabilities.
4.) VPN concentrator is easy to setup. They have a wizard that will
step you through simple configurations. However, it only support IPSec
vpn’s where as the 3030 will support PPTP and L2TP. If you require this then
you will not want to switch.
5.) They state that they will join an existing VPN device cluster but
you I would not trust that – however, I have not yet verified this ability.
Let me know if you have further questions.
Richard
_____
From: Jonathan Gauntt [mailto:jon0966@yahoo.com]
Sent: Friday, October 07, 2005 11:58 AM
To: firewalls@securityfocus.com
Subject: Cisco PIX vs Cisco ASA
Hi,
I have four Cisco PIX 525’s at our office. Multiple DS3’s run to our first
PIX 525 with another in standby and a similar configuration for the other
pair of PIX 525’s.
I also have a pair of VPN3030 concentrator’s that handle our LAN to LAN
connections and inbound VPN connectivity.
I am considering replacing our PIX / VPN pairs with four Cisco ASA 5540’s or
leave our VPN 3030’s and purchase four PIX 535’s.
Does anyone have any real world experience with the ASA line and what are
your thoughts on them?
Thanks,
Jonathan
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.14/129 - Release Date: 10/11/2005
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.14/129 - Release Date: 10/11/2005
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.14/129 - Release Date: 10/11/2005
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.14/129 - Release Date: 10/11/2005
