5515x inline IPS questions...

I'm attempting to configure an IPS for my first time and have a few questions... I went through Cisco's quick start guide and it appears that the ASA management and IPS management can have seperate IPs on the same management interface, is that correct?
I already have an ASA in use on my network and just want to add the 5512x IPS behind my ASA firewall to check for intrusion attempts. Could someone give advice on the best way of implementin this? I do not have a seperate management network so I'm not sure if I should be using the management port at all. For the IPS to act as inline, would I configure 2 interfaces on the ASA, 1 going to my firewall ASA and the other interface going to my internal network? I only want the IPS device to act as an IPS, I don't need the firewall capabilities.
Thanks for any advice!           

just to bring a different design into the game: Can't you replace your actual ASA with the new one that has IPS enabled? That will give you a much simpler design.
If you really want to separate the two functions then the IPS-ASA doesn't need a dedicated managemt interface. just connect it to your internal network with an IP-config that matches that network.
The inline-config is as you wrote, one interface to the ASa, one interface to the internal network. As you only want IPS on the new device and no firewalling you could also configure state-bypass on the ASA that does IPS.
Sent from Cisco Technical Support iPad App

Similar Messages

  • Diverting traffic to IDSM for inline IPS mode

    I have a catalyst 6500 swtich containing FWSM and IDSM-2 module. Vlan 1000 is the outside interface for the fwsm to which all bussiness servers are mapped (vlan 900, inside interface of fwsm).
    I want to inline IPS all the traffic going to these bussiness servers.
    I have no issue with IPS configuration.
    Could you please guide me with a configuration for 6500 switch for diverting this traffic.
    I can provide 6500 configs if required.
    An example would be appreciated.

    I'm not sure if this is relevant to your situation, but here is how I have a gateway 6K switch set up with an external 4255 IPS device. You should be able to substitute the IDMS2 though.
    Internet -> port 1/2 Vlan 5 -> port 3/1 Vlan 5 -> 4255 vlan pair to -> port 3/2 Vlan 2 -> MSFC Route Module -> rest of vlans internal...
    What I am doing in bringing my uplink in on a physical port that is in Vlan 5. I put one side of my IPS sensor into Vlan 5. These two ports are the only ports in Vlan 5. The IPS sensor port is vlan paired through the sensor to a port in Vlan 2. From this point, my MSFC route module has virtual interfaces for Vlan 2 and all of the rest of my internal Vlans. There is no route entry for Vlan 5, it is a pure switching vlan.
    What I like about this setup is that the IPS is transparent. If I have a problem with my IPS device or if I am doing an image upgrade, I can move the vlan for port 1/2 into Vlan 2 and logically bypass the IPS device...taking it out of inline without having to change anything else in the switch config and only having to wait for the spanning tree to converge.
    For the IDSM2, since the ports are trunk ports, you'd want to set the native vlan to the target vlan of each port and set the allowed vlans to just the target vlan of each port (ports 7 & 8).
    Hope this is useful,
    Scott

  • When inline IPS's are powercycled...

    using the CLI (or gui) reset command, will network traffic continue to pass through if the IPS is configured for inline mode?
    I know i could find out in a matter of minutes, but i'd rather not mess with our live network ;)

    The HW ByPass Switches generally have both Electronic and Mechanical mechanisms for controlling the ByPass functionality.
    The Electronic Mechanisms are what the HW ByPass Switch will use while it is receiving power. It will electronically be monitoring the link between the itself and the 2 sensor ports (the 2 sensor ports being used for inline monitoring).
    If the link goes down, then the HW ByPass Switch can electronically detect the link down, and will ByPass the sensor.
    If, however, the HW ByPass Switch itself loses power, then this is when the Mechanical mechanism kicks in.
    On power loss the HW ByPass Switch will immediately loose any link to the sensor (ByPasssing the sensor regardless of whether or not the sensor is up ).
    And mechanically the other 2 interfaces of the HW ByPass Switch (the 2 connected to the other devices, aka the switches and/or routers and/or firewalls) will connect to each other and act like a simple wire. The HW ByPass Switch turns into just an expensive wire when it looses power.
    So the HW ByPass Switch is capable of passing traffic when it looses power. It will not send traffic to the sensor when it has lost power, but will allow the other 2 devices to send traffic to each other (hence the ByPass).
    Now I see there has been confusion between a Tap and and a HW ByPass Switch.
    These are 2 separate pieces of hardware.
    A TAP is used only for promiscuous monitoring. It only Copies packets to the sensor, and can not be used with an InLine sensor for InLine monitoring.
    A HW ByPass Switch is only used for InLine monitoring. It sends the real packet through the sensor, and so can not be used with a promiscuous sensor because all packets would go to the sensor and never come back to the HW ByPass Switch.
    Some of the confusion is that some vendors like NetOptics produces both Taps and HW ByPass Switches. So when you go to make your purchase you will need to be very clear on whether you want a Tap for promisucous monitoring or a HW ByPass Switch for InLine monitoring.
    What you will also find out is that the technology for Taps and for HW ByPass Switches are complimentary. And it would not surprise me that in a year or 2 you woudl start seeing hybrid boxes that can be configured to work as a Tap OR a HW ByPass Switch (similar to how Cisco IPS Sensors can be configured for promiscuous IDS or inline IPS)

  • Inline IPS between core switch & FWSM

    Hi Guys,
    I want to connect the IPS appliance inline between the outside interface vlan (which located on the switch) and the Inside interface vlan which located on the firewall module, how can i do that? any solution for that?
    Regards,
    Rami

    If I understand your question correctly, you have an IPS appliance, like a 4200 series appliance that you want to connect to your 6500/7600 switch. This is pretty easy: Create an interface on your switch in each of the two VLANs, cable these to your IPS sensor, configure your sensor for these two as "interface pairs" and you should be good to go.
    If you want some traffic reliability on top of this, add two additional interfaces, one in each VALN, cable them together, make sure Spanning Tree Protocol is running on these VLANs and make the STP metric of this interface higher than the default interface of the IPS connection. This will provide a "fail-open" patch for your traffic when the sensor dies, reloads or stops passing layer 2 traffic.
    - Bob

  • Upload through inline IPS increases inspection load

    The   IPS-4240-K9  [IPS Version 7.0(4) E4] is deployed in inline mode before the ASA and perimeter router .The design is  LAN->IPS->ASA->Internet Router.The problem is that when i am uploading on the internet the IPS inspection load increased to 100% and the devices beyond the IPS become non-responsive(ping drops from ASA and router).Surprisingly the ping response on IPS does not break,when I put the IPS in never inspect mode (by pass on) the problem does not happen.Hence its confirm that the issue is with the IPS and its inspection load due to upload.
    Please guide on how to resolve it . thanks

    Hi Sawan,
    No there is no particular signature firing a lot..normal signatures which do fire in normal operation..
    By traffic load u mean the size of file being uploaded ,even if we upload a file between 20-40 MB the ping drops on the devices beyond IPS starts and continues until the file is uploaded..once the file is uploaded completely which in the case of 20-40 MB is in within seconds the situation returns to normal...
    We will upgrade soon ...but is there any bug in this release related to this problem ??
    Thanks for the reply ..
    Rgds
    Unus

  • AIP-SSM inline mode Question

    Dear all
    i have an ASA 5520 with ips module . i installed it since 3 weeks. For the ips module , it is installed in inline mode.
    Till now i didnot see any events appeared on the sensor.i configured it to scan http traffic from any source to the inside LAN subnet (10.1.0.0/16)
    can i know that if the sensor is working properly or not?? and how ???
    The following is the configuration on the ASA:
    access-list outside_mpc extended permit tcp any 10.1.0.0 255.255.0.0 eq www
    class-map outside-class
    match access-list outside_mpc
    policy-map outside-policy1
    class outside-class
    ips inline fail-open sensor vs0
    service-policy outside-policy1 interface outside.
    please find the attached file for ips config.
    Thanks

    Your config looks very similar to my working ASA confis. The only exception is your virtual sensor entries in the ASA and the IPS. If you don't need them they can be left out.
    Assuming your config is correct, you can try opening up your access list to more traffic and see if you get events. You can turn on signature 2004 for ICMP echo replies if you want to stimulate some events for yourself.

  • Configure newly deployed inline IPS to alert only

    All,
    I'm hoping some of you experts can assist me with this request. Recently started a new job and they put the IPS into prod  (We are running the software based module on our ASA.) and it started blocking more then they had intended. They configured the ASA to not send any traffic to it, to stop the outage.
    So now we have an IPS half-way setup and I need to finish the job. I'm new to Cisco IPS, but I really want to know is there a way I can deploy this sensor so that it is still inline but it will not block anything. This way I can baseline the environment and see what type of alerts are firing?
    Any help on the best to set this up / deploy tips would be appreciated!

    If you don't want IPS to block any thing sitting inline but throw alert, from the event actions opt "produce alert"
    Produce Alert
    Writes the event to the Event Store as an alert.
    Note The Produce Alert action is not automatic when you enable alerts for a signature. To have an alert created in the Event Store, you must select Produce Alert. If you add a second action, you must include Produce Alert if you want an alert sent to the Event Store. Also, every time you configure the event actions, a new list is created and it replaces the old list. Make sure you include all the event actions you need for each signature.

  • Inline Validation Question

    I was wondering if it is possible to have two separate messages thrown in a validation. One that would show in the Notification area, and one that would show inline with the item.
    The reason why I ask is that currently I have everything on a page very delicately lined up. When an error message fires, it pushes everything to the right, which messes up the alignment. Plus if multiple items on the same line throw errors, it no longer fits on the page like the users want.
    I'd like to have the actual error message display at the top of the screen (notification area) and just the red X that Apex puts next to items that fail validation appear next to the item.
    Thanks in advance.
    Josh

    Josh,
    One way you could do this would be to set the validation to display both inline and in the notification area. Then edit (or create a copy and edit) the label template. There is a section of the template "Error Display". You could just remove the substitution #ERROR_MESSAGE# and the break tag. This way you are just left with the CSS class.
    You could also add the error message as a title attribute to the div and the user would then get a tooltip.
    eg <div class="t20InlineError" title="#ERROR_MESSAGE#">
    Greg
    Edited by: Greg Jarmiolowski on Aug 24, 2009 1:26 PM

  • TCP flow get slower with IPS 4255 5.1(3) in inline mode

    I have an IPS 4255 with 5.1(3).
    The logical setup is the following:
    Internet
    |
    ServerA --- IPS --- PIX --- IPS --- ServerB
    The physical setup is the following:
    ServerA --- SwitchA --- IPS --- SwitchB --- PIX --- Internet
    ServerB ---/
    (ServerA and ServerB are in different DMZs -> in different VLAN-s)
    My goal is to protect many segments by one inline IPS, therefore the connection
    between SwitchA and SwitchB is an ethernet trunk (for performance reasons this is
    an etherchannel trunk (load sharing is src-dst-ip)).
    The problem is that ServerA and ServerB have to communicate, and this is done via the PIX.
    The communication is very slow and there are many fired TCP Drop and TCP normalization related
    signatures. When the IPS is in bypass on mode or one of ther server segment is not watched by the
    IPS the communcation speed is ok. I think the speed degradation is because every packet between ServerA and
    ServerB travels through the IPS twice. It seems to me that altough they are in seperate VLANs the IPS can not handle
    them.
    Has someone idea how to solve this issue?

    Hello,
    The traffic is about 1-2 megabit/sec through the IPS, so this does not count.
    I tried to use the norandomseq but it does not help.(Is it ok that the norandomseq does not appear in the configuration? - I used in this form: nat (APPL) 0 access-list ACL_NONAT_APPL norandomseq).
    I switched off all of the signatures except the normalizers. I switched them just to produce alert and verbose alert no to drop or modify packet.
    The two relevant server are Takson (172.31.5.1) and Keve (172.31.6.1)
    The alarms are attached. I see that there is alarm between them :TCP session tracking stopped due to timeout
    It seems to me very strange.
    Akos

  • Cisco 4240 IPS Inline and CDP neighbor

    Has anyone seen IPS device block CDP or prevent CDP?
    I was told that the Inline IPS device is preventing the use of CDP.

    Found that the CDP issue is a reported bug.
    CSCsg45642 Bug Details
    Symptom:
    CDP traffic is not passed from one interface to the other in an inline pair.
    Conditions:
    Sensor running 5.1.1 or later configured in inline mode. Bypass mode enabled or disabled.
    Workaround:
    None at this time.
    Further Problem Description:
    http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg45642

  • IDSM-2 IPS (5.x) / Cat IOS questions

    Is my understanding correct that a Catalyst 6500 running Cat IOS supports only Promiscious mode and that Cat IOS does not support IDSM-2 (5.x) Inline mode?
    Are there any plans to incorporate Inline Mode (5.x) under Cat IOS in the future, or am I missing something here?

    An upcoming version of CatIOS code will definately support inline mode.
    The IPS 5.0 code, as you're aware, was the first version of IDS code to support inline mode. With the standalone sensors, running it inline requires a physical cabling change. With the IDSM-2 in particular though, you need to be able to configure the Cat-IOS code to push traffic through the device in inline mode.
    Unfortunately getting new versions of CatIOS code out the door is not that easy, since there are about 10,000 other features (not just IPS) in the code that are also wanting to be updated, plus other new features, plus all the testing and re-testing that needs to go on before a release. Supporting inline IPS is just one of many major features scheduled for the switch software.
    The Release Notes for IPS 5.0 code do say the following:
    IDSM-2 only supports inline mode for Catalyst Software 8.4.4(1) with Supervisor Engine 1a, Supervisor Engine 2, Supervisor Engine 32, and Supervisor Engine 720. Inline support for Cisco IOS will be added at a later date.

  • IDSM-2 and inline mode

    Hello
    I have a question about IDSM-2 (in catalyst 6500) and ips 6.0.3 and inline mode. I wanted to create vlan groups, so i could have inline ips with many virtual sensors for subinterfaces (vlans range).
    I tied to:
    set trunk 5/7 1-4095 (on swith)
    set trunk 5/8 1-4095 (on swith)
    and in IDSM-2 in CLI:
    i created inline interface (using 5/7 and 5/8 ports), but after that i could not create in physical interface vlan groups. Why ?
    How can i make my IDSM-2 card working inline with many virtual sensors (policies) per different vlans ?

    i found my answer in idsm-2 document "You can mix sensing modes on IDSM-2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because IDSM-2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes." but something else,for doing such thing suppos that i have sig 2004 configured for inline traffic to deny attacker inline then this action doesnt make any sense for some data in passive mode and suppos that for that kind of traffic which idsm-2 is operating in passive mode i want to just send an alert. so can i use deferent VS for doing this? thanks.

  • Solution on IPS Placement

    Dear Pros,
    Project explanation:
    Pair of pix firewall configured as failover.The outside of the pix pair connected to the internet gateway router 3825.Inside of the pix pair connected to the core switch ports configured with the vlan.The configuration as below
    Outside : 192.168.102.0
    Active pix out: 192.168.102.2
    Sec.Pix out : 192.168.102.3
    3825 Gieth : 192.168.102.1
    Inside PIX : 192.168.101.0
    Active pix in : 192.168.101.2
    Sec.PIX IN : 192.168.101.3
    Core SVI in : 192.168.101.1 (Gway for the vlan)
    Now i decided to connect the ips 4240 in inline ips mode by connecting ips's outside to the pix inside segment and ips
    inside to the core switch 4510R vlan interface that has been priviously connected to the pix inside segment.
    I have 5 vlans inside the core 4510R created with 172.16.16.0/24,172.16.17.0/24,172.16.18.0/24....
    I already configured the ips 4240 with 2 infs pairs and assigned to the sensin engines.I need to know
    the other steps to configure to allow the traffic inline thro the ips.Also i want to know the blocking concept and here
    do we need to configure the blocking for the 5 inside networks?
    Please give me the solution details.
    Thanks
    swamy

    Based on your scenario, pls have a look at the logical and physical connectivity of your devices.
    This is due to the devices limitations, especially the switch where you only have 1 x Cat4510R available. Therefore, you need to host all connection to this switch to cater for IPS - Firewall connectivity.
    This design is to allow you to filter traffic from Internet coming into your Internal network and vice-versa.
    Basically, you need to have 2 x Layer 2 Vlans on your Cat4510R switch, for (example):
    - Vlan 102 - host router interface, IPS and PIX Outside interfaces
    - VLan 11 - host PIX inside interfaces and IPS
    Maintain the existing Vlan with interface IP of 192.168.102.1, which was shared with PIX Inside interfaces IPs as well.
    I have implemented similar setup, and it works fine.
    As for your blocking concept, you need to use ACL to permit/deny who/ports, and apply it relevant Vlan interfaces.
    Hope this works. Pls rate all useful post(s).
    AK

  • Negating deny-attacker inline best practice

    We have recently deployed an inline IPS solution using 5.1(7) E1 software. We would like to deny-attacker-victim-pair-inline for some signatures from one particular subnet on the network but negate the rest.
    In order to correctly implement this, I think that we need to use SigEvent Action Filters on the sensor and use the commands <<actions-to-remove/deny-attacker-victim-pair-inline>> for all subnets accept the one that we wish to allow deny actions for.
    I have seen that in the configuration on the sensor you can implement under the section <<service network-access>> a <<never-block-networks>> statement. My understanding is that this is used more for shunning rather then deny-inline solutions.
    Am I correct about this?
    Please could some one on the list validate that this is the best practice solution for negating deny-attackers inline.

    create 2 event actions filters.
    The first event action filter will match the signatures and subnets you want to deny on and don't subtract any actions. make sure you set it to "stop on match".
    The next one will will match the same signatures but the 0.0.0.0-255.255.255.255 address. remove the appropriate actions.
    The net result is that the first event action filter will apply when it matches and the second when it doesn't.

  • IDSM2 on 6500-IOS inline mode support?

    Hi,
    I have an IDSM-2 running IPS5.1(1d) software (recently upgraded from 4.x) that is sitting on a 6500 IOS.
    The IPS device manager shows gi0/7 and gi0/8 as both in Promiscuous mode. There is no option to change the mode to inline and pair them.
    Is it so that IDSM-2 currently supports only Promiscuous mode?
    If so, then this module is still acting as an IDS despite running IPS5.1. Isn't it? What is the advantage that I get after upgrading it from 4.x to 5.1?
    -- Vasanth

    There are 2 pieces to the puzzle.
    There is the IDSM-2 version and what it supports, but also the Cat 6K Native IOS version and what it supports.
    IDSM-2 v5.1(1d) supports
    a) Promiscuous mode,
    b) InLine Interface Pair mode (2 interfaces are paired for inline monitoring), and also
    c) InLine Vlan Pair mode (2 vlans on a single interface are paired for inline monitoring, you will also see it called inline-on-a-stick)
    But for these features to be used, the switch code must also support configuring the switch side of the IDSM-2 for each of these 3 features.
    Native IOS Versions prior to 12.2(18)SXE will support only Promiscuous mode on the IDSM-2.
    12.2(18)SXE and later versions will support InLine Interface Pair mode on the IDSM-2.
    No Native IOS versions currently support InLine Vlan Pair mode on the IDSM-2 (a new Native IOS versions with this support is currently in development).
    So to get Inline (IPS) functionality you need to be running a Native IOS version 12.2(18)SXE or later, and on the IDSM-2 run IPS versions 5.1 (or even the older 5.0).
    (NOTE: Cat OS 8.5(1) does support all 3 modes of the IDSM-2. So if you are using Cat OS instead of Native IOS, then run version 8.5(1) to have access to all of the features of IPS 5.1(1) on the IDSM-2)
    If you are running a Native IOS version prior to 12.2(18)SXE then the IDSM-2 can only be operated in Promiscuous mode even if 5.1(1) is loaded on the IDSM-2.
    However, even in promiscuous mode the IPS 5.1(1) software does have a few advantages.
    There are several engines, and engine parameters that are only supported in the 5.1 version and not the 4.0 version. So there are several signatures that are either a) not even created for 4.x sensors, or b) the 4.x signature is not as precise as the 5.x signature in the new engines.
    (These new engines have proved invaluable in writing signatures to detect some of the new attacks that have come out over the past year.)
    There are of course other advantages as well:
    For example:
    1) Risk Rating to better aid in prioritization of alerts.
    2) More flexible fitlering mechanism for alerts that allows for fitlering individual actions
    The 2 features above are just 2 of the new features that have been added in 5.0 and 5.1 that apply to both promiscuous and inline modes.

Maybe you are looking for