Firewall Transparent Mode with IPS

  Dear All,
I have network setup shown below
Router --- Firewall Transparent Mode --- cisco layer 3 switch
I am planning to implement ips. Which is the right place to put the IPS
IPS is separate hardware. Let me know on which mode IPS has to be enabled? Rgds - pramod

Hello,
If you have the separate hardware of IPS then, place the IPS in between Router and firewall.
you can use the IPS in inline and promiscuous mode.
In inline mode all traffic will pass through the IPS first then after inspection will move to firewall.
And if you are using the IPS in promiscuous mode then the copy of traffic will send to the IPS and after that inspection will done.
Thanks.

Similar Messages

  • Transparent mode with AIP-SSM-20

    I currently have an ASA5510 in routed mode with an AIP-SSM-20.
    There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
    However, this will remove the IPS device, and I still want to use IPS.
    So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
    Setup would look something like this:
    Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
    Can the AIP-SSM still perform IPS with the ASA in transparent mode?
    Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
    I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
    Regards.

    AFAIR, There is no problem to setup AIP in a transparent firewall.
    "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
    the IPS will fail-open and the ASA will continue to pass traffic.
    However, if an interface or cable fails, then traffic will stop.  You
    would need a failover pair to account for this failure event, which
    means another ASA and matching AIP."
    And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
    What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
    http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
    HTH,
    Marcin

  • ASDM in Firewall Transparent mode

    Greetings,
    I would like to configure an ASA5512-X in firewall transparent mode, but I am having trouble getting ASDM to lauch when I do.
    I have created a BVI interface with an IP address, and I hve enabled the mangement interface, but ASDM does not lauch when I enter the IP adress of the BVI I created.
    Apprently you need to use the bridge-group command to assign an interfce to a bridge group. When I enter this command at the (config-if) prompt for Management 0/0, this command is not recognized.
    What are the general steps for configuring the management interface to be able to launch ASDM in transparent mode?
    Thanks,
    -Ross Merrifield

    Hello Ross,
    The managment interface itself is only used for managment purposes ( it has it's own Ip address) So configured it differently from any other interfaces ( Assing an ip to that managment interface like you will do with a regular ASA interface ( not on bridged mode) )
    Regards,

  • ASA transparent mode with secondary IP on the router

    Hi
    I have
    Router --- ASA (Transparent)----Switch
    and just wonder if it is possible to configure secondary IP on the router interface which is connected to ASA
    so there is plenty of room in terms of LAN IP range.
    Or to implement this, do I have change ASA to context mode and modify configuration on the ASA?
    hope I do not have to change anything on the ASA.
    Thanks

    ASA in transparant mode work as L2 device
    so what ever ips u use dosent matter
    u dont need to change anything in the ASA while it is in transperant mod
    but be careful of what is allowed to be passed through the firewall
    u can control it by ACLs
    the router and the switch u have will operat in L3 as thy connected directly or nothing between them from routing and layer three prespective
    so they shoud be in the same subnet VLAN and so on
    good lcuk
    please, if helpful rate

  • Failure when FWSM in transparent mode with multiple contexts

    hi experts,
                We have two FWSMs working in active/standby state,  configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet. 
                Now we have one FWSM broken and the RMA part can't arrived in short time, so  we have the risk that the sencond FWSM could be failed as well.   In the worst case if the two was broken or powered off simultaneously,   i wonder that if the communications between multiple contexts could be ok???
    thanks in advance.

    The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
    http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html

  • Transparent mode with WCCP v2

    Hi all.
    I config my content engine 7305 with configurations:
    CE(config)# wccp version 2
    CE(config)# wccp router-list 1 10.10.10.1
    CE(config)# wccp web-cache router-list-num 1
    And with router:
    Router(config)# ip wccp web-cache
    Router(config)# interface Serial0
    Router(config-if)# ip wccp web-cache redirect out
    Address Router: 10.10.10.1/24
    Address CE: 10.10.10.2 /24
    Client1 connect internet with url: http://www.vnexpress.net
    Client2 connect the same URL many times.
    But when I use: sho statistic http saving
    The hit is a little.(1 hit)
    The miss is alot. (49 miss)
    So I don't understand the ContentEngine work perfect or not????
    Help me, plz
    Thanks

    You should check to see if your CE and router see each other.
    CE "show wccp routers" - you should see the ID of your router you have configured.
    Router "show ip wccp web-cache view"
    If that doesn't work you can turn on debug
    "debug ip wccp packets" and see the request/response sequence
    .Jun 16 17:46:26: WCCP-PKT:S00: Received valid Here_I_Am packet from 10.1.1.1 w/rcv_id 00000844
    .Jun 16 17:46:26: WCCP-PKT:S00: Sending I_See_You packet to 10.1.1.1 w/ rcv_id 00000845

  • CISCO ASA5510 Firewall transparent mode

    Hi,
    i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.
    in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.
    how do I do it?
    I am getting the below error, it only allow me to do changes those pre-defined interface.
    kul-fw-03/admin(config)# interface ethernet 0/2.111
                                                  ^
    ERROR: % Invalid input detected at '^' marker.
    how to I create extra sub interface?
    PS: the current config is done by the network guy who left the company last month.:(
    please help.

    you would need to configure it from the System context, not the Admin context.
    If you are trying to add the sub interfaces for the server context, then go to the System context:
    config t
    interface ethernet 0/2.111
    exit
    context server
      allocate-interface ethernet0/2.111
    here is a sample configuration for your reference:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
    Hope that helps.

  • Cisco 2960S Configured in Transparent mode

    I have a Cisco 2960S gig switch configured in transparent mode with multiple vlans configured. I have printers that I can ping, the ports shows up but on the printer it says offline. Any idea what could be causing this?

    If your printer and your PCs are all in the same subnet and only the printer is not working then VTP mode Transparent has nothing to do with your issue. 
    I'd be keen to know if you have a firewall blocking anything from the IP address of the printer?  Maybe the IP subnet mask or default gateway of the printer is not working?  
    What do you get when you do a "sh mac-address interface <PRINTER port>"?

  • FWSM in Transparent mode help

    Hi all,
    i am actually designing for a new solution based on 6509 Switch with FWSM module, here is what i have :
    FWSM will be used in Transparent mode with two bridge group : 1 , 2 as mentioned on the image, i wonder if this is a correct deisgn or not, is this will work with no probleme with these two trunk links ?
    i've seen on the guidelines of this url :
    http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/fwmode.html#wp1184961
    "The transparent FWSM uses an inside interface and an outside interface only. "
    is it applicable in my case,
    any other information will be welcome.
    Thanks for help

    Hi,this is sample configuration.
    6509A:
    vlan 256
    name FWoutside
    int vlan 256
    ip addr 98.1.1.252 255.255.255.0
    6509B:
    vlan 255
    name FWinside
    int vlan 255
    ip addr 98.1.1.251 255.255.255.0
    firewall module 3 vlan-group 16,32
    firewall vlan-group 16 255
    firewall vlan-group 32 256
    FW:
    firewall transparent
    nameif vlan256 outside security0
    nameif vlan255 inside security100
    access-list ACL_IN extended permit ip any any
    access-group ACL_IN in interface outside
    access-group ACL_IN in interface inside
    6509B:
    6509B#ping 98.1.1.252
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 98.1.1.252, timeout is 2 seconds:
    Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
    6509B#

  • ASA5510 - LACP in Transparent Mode

    Hello all,
    I understand that in transparent mode an ASA5510 would only be able to have two interfaces, inside and outside.
    My question is could one of those logical interfaces be an LACP'd interface, made up of two physical interfaces. Topology below.
    I understand that the router and ASA5510 are SPOF here, so it is a bit of a moot point, but we're connecting already existing infrastructures together!
    |-------–---|      |---------|        
    | Switch 1  |------|         |        
    |-----------|      | ASA5510 |         |----------|
         | |           | (transp |---------|  Router  |
    |-------–---|      |  mode)  |         |----------|
    | Switch 2  |------|         |        
    |-----------|      |---------|        

    Configuring Cisco ASA Service Appliance in Transparent Mode with vPCSince Release 8.4, Cisco ASA 5500 Series Adaptive Security Appliance solution supports Link Aggregation ControlProtocol (LACP). ASA port-channel contains up to eight active member ports.Supported LACP modes are: ACTIVE, PASSIVE, and ON (ON means manual ports bundling i.e not using dynamicport-channeling control protocol).ASA can be configured in transparent or routed mode. Both modes are supported when integrating ASA with CiscoNexus 7000 Series vPC.
    http://www.cisco.com/en/US/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf
    Page 87-88

  • Config transparent Proxy with LDAP authen with L4 switch?

    How to config policy based routing on L4 switch if wsa run in transparent mode with LDAP authentication?
    Async OS: 5.1.0-420
    Thank you,
    Thanapol

    Ezekiel,
    I wanted to add some clarification to your comments:
    1) Network TAP connected to T1/T2.
    This will work good. You will need to tap one direction of traffic to the T1 port and the other direction in to the T2 interface.
    2) L4 switch connected to P1.
    This will NOT work. Further explaination below. What you can do is use a switch that supports port spanning / port mirroring. You'll need to send a COPY of all traffic going to gateway to the T1 interface.
    The L4TM will need to be in 'duplex' mode - Configurable in the GUI.
    3) WCCP v2 connected to P1.
    WCCP cannot be used at all with the L4TM, because WCCP doesn't 'copy' the traffic, it redirects it.
    L4TM information
    The L4TM can be thought of as a completely seperate appliance that operates primarily via the t1 / t2 interfaces.
    The L4TM is a sniffer application, meaning that you cannot redirect traffic to it (such as L4 switching PBR or WCCP), but you can send a copy of traffic to it (port mirroring or physical tap).
    If you are blocking with the L4TM, the WSA will use M1/P1 to send the TCP RST packets. This is the ONLY use for the M1/P1 interfaces that the L4TM will use.
    The P1 interface is intended to be used for Web proxy traffic and the L4TM does not listen on this interface.

  • ASA Transparent Mode Deployment Issue

    Could you please be more specific as to what does not work.  How are you testing, from which IP to which IP is not working? Are you able to ping the switch from the ASA Firewall (not the transparent firewall)?
    Please remember to rate and select a correct answer

    Ok after a little research I think I have found a solution for you ( I am leaving out the policy map configs):
    firewall transparent
    hostname ASA-IPS
    interface GigabitEthernet0/0.20
    vlan 20
    nameif Outside2
    bridge-group 2
    security-level 0
    interface GigabitEthernet0/0.10
    vlan 10
    nameif Outside1
    bridge-group 1
    security-level 0
    interface GigabitEthernet0/1.22
    vlan 22
    nameif Inside2
    bridge-group 2
    security-level 100
    interface GigabitEthernet0/1.11
    vlan 11
    nameif Inside1
    bridge-group 1
    security-level 100
    interface BVI1
    ip address 10.10.10.10 255.255.255.0
    interface BVI2
    ip address 10.10.20.10 255.255.255.0
    access-list inside_acl extended permit ip any any
    access-list outside_acl extended permit ip any any
    access-group outside_acl in interface Outside1
    access-group inside_acl in interface Inside1
    access-group outside_acl in interface Outside2
    access-group inside_acl in interface Inside2
    Also make sure that you amend the VLANs on the switch to correspond to the VLANs on the Transparent ASA.
    Please remember to rate and select a correct answer

  • ASA 8.4 transparent mode active/active questions

    Hi, currently i'm trying to create network design which uses two 5585-X in transparent mode with active/active load balancing (with states), but i have some questions:
    1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
    2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
    3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
    Thanks for your replies

    Hello,
    1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
    You only need to configure ASR groups if your routing environment would match the scenario you outlined (a return packet arrives at the unit running the Standby context).
    2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
    You can configure up to 8 bridge groups per context to achieve this.
    3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
    Active/Active failover is only possible in multiple context mode.
    Hope that helps.
    -Mike

  • VRF issue with Firewall in transparent Mode.

    Hi Guys,
    I have 7609 Router and 6513 L3 Switch connected Through ASA 5545.
    I am running Multiple VRF between router and Switch and BGP routing Protocol. When they are connected directly to each other everything is normal, however, when I have connected them via ASA 5545 then everything fails. I am using ASA in transparent Mode.
    My question is: Do ASA require different setting in case of VRF? If yes, then please give me sample config.

    I have taken following output from Firewall will this be any help?
    sh interface ouTSIDE
    Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
      Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
            Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
            Input flow control is unsupported, output flow control is off
            MAC address 7c69.f68f.df78, MTU 1500
            IP address 175.4.8.35, subnet mask 255.255.255.248
            8435 packets input, 680680 bytes, 0 no buffer
            Received 8135 broadcasts, 0 runts, 0 giants
            0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
            0 pause input, 0 resume input
            8138 L2 decode drops
            0 packets output, 0 bytes, 0 underruns
            0 pause output, 0 resume output
            0 output errors, 0 collisions, 1 interface resets
            0 late collisions, 0 deferred
            0 input reset drops, 0 output reset drops
            input queue (blocks free curr/low): hardware (476/461)
            output queue (blocks free curr/low): hardware (511/511)
      Traffic Statistics for "OUTSIDE":
            297 packets input, 118503 bytes
            0 packets output, 0 bytes
            297 packets dropped
          1 minute input rate 0 pkts/sec,  13 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  6 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    ciscoasa# show asp drop
    Frame drop:
      FP L2 rule drop (l2_acl)                                                   297
    ASA Version 9.0(1)
    firewall transparent
    ciscoasa# show module all
    Mod Card Type                                    Model              Serial No.
      0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545           
    ips ASA 5545-X IPS Security Services Processor   ASA5545-IPS       
    Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
      0 7c69.f68f.df77 to 7c69.f68f.df80  1.0          2.1(9)8      9.0(1)
    ips 7c69.f68f.df75 to 7c69.f68f.df75  N/A          N/A          7.1(4)E4
    Mod SSM Application Name           Status           SSM Application Version
    ips IPS                            Up               7.1(4)E4
    Mod Status             Data Plane Status     Compatibility
      0 Up Sys             Not Applicable
    ips Up                 Up
    Mod License Name   License Status  Time Remaining
    ips IPS Module     Enabled         perpetual
    ciscoasa#
    I have create Ehtertype ACL and permit any traffic.
    cdp traffic has passed through but I am still not able to ping :(

  • Transparent mode/firewall mode in a multiple context asa5520

    Hello,
    Is it possible to have a transparent mode on CONTEXT_A and firewall/route mode in CONTEXT_B in a single ASA
    5520?
    thanks.

    Is there any document to support this? I would be getting my hands on a ASA pretty soon hope to test this feature out.
    -Hoogen

Maybe you are looking for