I have tried to find information on this but seem to have hit a wall - we have two Cisco 5500 ASA's in transparent mode running as a Active/Passive failover pair. We want to install two McAfee Intrushield IPS devices in front of the two firwalls (i.e. between the router adn the ASA). Our only concern is how the we can monitor the link between the router and the IPS to failover the firewalls in case this link should fail. Because the firewalls are running in transparent mode we are unable to use routing protocols to monitor the link.
Can the Intrushield shutdown the internal port if the external port goes down? This would allow us to monitor the internal link and fail over if it went down.
Thanks for the help.
Its a while since I have used ASAs in transparent mode so not sure if there will be any nuances or gotchas with this setup. However, saying that, if you have two ASAs for HA, do you also have 2 routers? If so, are they running HSRP/VRRP/GLBP? If the setup is something like the below:
switch ----- ASA1 ------ NSP1 -------- Router1
switch ----- ASA2 ------ NSP2 -------- Router2
and the link between NSP1 and router 1 goes down (using HSRP as example), Router 2 will no longer get hello messages from Router 1 and will assume the active state. The switching will take care of the rest, and traffic will start to flow through ASA2.
1) Could you provide further information as to how you have the active/standby configuration of the ASA devices setup (I thought that in transparent mode they were essentially active active and traffic could flow through both, but as said, its been a while!)
2) Could you confirm further details about the surrounding environment (such as any specific high level STP, HSRP etc details)