IOS IDS vs. ASA Module vs. ISR module vs. Blade vs. Appliance

Similar Messages

• Difference in ASA module, ASA 5510

  Folks,
  I am trying to get some comparison good data on the Cisco ASA(5585 probably) module and the Cisco 5510 physical device.
  We are looking to create contexts and most of these contexts are dynamic in nature.
  What could be the advantages and disadvantages of using one and the other.
  I know the ASA 5510 supports virtual contexts but not sure how much are supported by the base license and how much could be added.
  Futher the communication between the Switch and the ASA module goes via the backplane and in case of physical device will go over the LAN cable(mostly a 1Gig). Will this be slower?
  Regards,
  Nikhil.

  Hi,
  Check if the below datasheet helps..
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
  hth
  MS

• Cisco 6500 ASA Module

  Greetings,
  I have 6509-E switch with Cisco ASA module, I have two network segments 1. 10.60.5.0/24        2. 10.60.6.0/24, the ASA module is gateway for my two subnets, routing protocol is cisco EIGRP, everything looks normal, but when I am trying to copy files from one computer which has the IP 10.60.6.21 to another computer which has the IP 10.60.5.100 in another network subnet, they latency goes high and copying is very slow.
  Please help me.

  Hi,
  I think the easiest test would be to check for any inspections for the traffic that you are using for the test on the ASA device.
  Also , you can try this:-
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html
  Thanks and Regards,
  Vibhor Amrodia

• 6500 with ASA module

  Hello guys,
  I'm designing small-medium branch office (from 100 users scalable up to 500).
  My idea was to build this around a pair of 6506-E switches (as collapsed core, utilizing VSS), then at each floor (1 floor = 100 users) have a stack of 3750 switches.
  Now, to my question, I want a pair of security appliances, one per each breakout. I was looking at a possibility of putting ASA module into each 6500.
  Is it possible, to use 10G X2 module, which are build into 6500's SUP as WAN interface and direct everything it receives on those ports directly into ASA? (I want to have all traffic which will come to the 6500 via SUP's X2 modules to pass through ASA before any further action will be taken).
  As fair as I know in order to use VSS together with ASA modules in active/active mode (I will load balance through uplinks on both 6500) I need to use SUP 720-10G, am I right?
  Thanks in advance for you insights.
  Michal

  Thanks guys. Appreciate your feedback!
  I will most likely go  for the option "Existing ASA 5540 with IPS module" . I hope the IPS module does not limit any bandwidth capability or processing issue of the ASA. My current throughput is 250 Mbps bidirectional.
  After looking at the IPS option I am sloghly confused which one I need. Cisco website say:
  "...adding the broad range of intrusion prevention and advanced antiworm services delivered by the IPS modules via the AIP SSM and AIP SSC, or the comprehensive malware protection and content security services enabled by the CSC SSM."
  Do I need SSM only or both SSM and SSC or CSC SSM? How many module cana be installed on 5540?
  Fawad

• C65K ASA module - syn cookie & ASAx clustering (9.x)

  Hi,
  A couple of questions:
  I want to move syn cookie protection from ACE-modules to ASA modules in a data center setup. And I want to set a max embryonic conns per server/IP behind the firewall f.ex 512/server
  Acc to the ASA conf.guide 8.5 you can make and apply a service-policy f.ex to the outside interface with the following variables (among others):
  - conn-max (0-2000000). I suppose this i an overall 'conns through the box' value ?
  - embryonic-conn-max n. Is n the overall embryonic 'conns through the box' value ?
  - per-client-embryonic-max If clients are outside-hosts accessing an inside-server, it will not mitigate dDoS syn-attacks very well, will it ?
  Apparantly none of the above settings limit embryonic conns per inside server ?
  On the other hand the configuration guide says:
  When you use TCP SYN cookie protection to protect servers from SYN attacks, you must set the embryonic connection limit lower than the TCP SYN backlog queue on the server that you want to protect. Otherwise, valid clients can nolonger access the server during a SYN attack.
  And to something completely different:
  In 9 ASA software clustering of 5585-x is an option. Does it apply to the ASA modules as well, (which are based on the 5585-x) ?
  Thanks
  Regards Jesper Joensen

  Iyer
  Agree - but you still have a problem with heavy dDoS attacks with thousands of spoofed IPs.
  I ended up with this config (going into production very soon) - the embryonic-conn-max 512 is intended to trig syn-cookies during syn-attacks:
  class-map EMBRYONIC-CONNS
  match any
  policy-map EMBRYONIC-CONNS
  class EMBRYONIC-CONNS
    set connection embryonic-conn-max 512 per-client-embryonic-max 5
  service-policy EMBRYONIC-CONNS interface msfc
  Thanks
  Jesper

• How do you session to asa module on 6509?

  I have a new 6509 ASA Module. When i try and open a session, fails. here are the outputs.
   1    3  ASA Service Module                     WS-SVC-ASA-SM1     SAL1813P1P8
    2    4  WiSM 2 WLAN Service Module             WS-SVC-WISM2-K9    SAL1815QD32
    3   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6848-GE-TX     SAL1814PFAK
    4   48  CEF720 48 port 1000mb SFP              WS-X6848-SFP       SAL1815QBQT
    5    5  Supervisor Engine 2T 10GE w/ CTS (Acti VS-SUP2T-10G       SAL1815QCZE
  Mod MAC addresses                       Hw    Fw           Sw           Status
    1  4c00.826a.32b4 to 4c00.826a.32c3   2.0   12.2(50r)SYL 15.0(1)SY6   Ok
    2  30f7.0d0b.f630 to 30f7.0d0b.f63f   1.1   12.2(18r)S1  15.0(1)SY6   Ok
    3  a80c.0df1.edd0 to a80c.0df1.edff   1.0   12.2(18r)S1  15.0(1)SY6   Ok
    4  18e7.2820.4c00 to 18e7.2820.4c2f   3.0   12.2(18r)S1  15.0(1)SY6   Ok
    5  6c41.6a0c.17d2 to 6c41.6a0c.17d9   1.7   12.2(50r)SYS 15.0(1)SY6   Ok
  Mod  Sub-Module                  Model              Serial       Hw     Status
   1/0 ASA Application Processor   SVC-APP-PROC-1     SAL1808MGPL  1.0    Ok
    3  Distributed Forwarding Card WS-F6K-DFC4-A      SAL1813PD2L  2.0    Ok
    4  Distributed Forwarding Card WS-F6K-DFC4-A      SAL1815PY3J  2.0    Ok
    5  Policy Feature Card 4       VS-F6K-PFC4        SAL1814PLKQ  2.1    Ok
    5  CPU Daughterboard           VS-F6K-MSFC5       SAL1815Q2ZZ  2.1    Ok
  all modules loaded up ok.
  sess slot 1 pro 1
  The default escape character is Ctrl-^, then x.
  You can also type 'exit' at the remote prompt to end the session
  Trying 127.0.0.11 ...
  % Connection timed out; remote host not responding

  Try "service-module session slot 1". Reference.

• IOS IDS question

  hello
  ip audit protected [ip address - ip address]
  according to cco it defines a protected address space for IDS, this is from cisco.
  An attack signature detects attacks attempted into the protected network, such as denial-of-service attempts or the execution of illegal commands during an FTP session.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm
  i have tested IDS today with ICMP flooding, i got alarms for ICMP attack SIG .2050 even without configuring this command.
  does anybody know, what exactly this command does?
  regards
  Louis

  You must be using a very old version of IOS in which the IDS feature is using 'ip audit...' command to configure, in these version of IOS, the IDS feature has a fixed number of hardcoded signatures.
  IOS IDS/IPS feature has evolved quick a bit, starting 12.3(8)T, it starts support dynamic signatures and is a true inline ips sysstem. Recently, from 12.4(11)T, it supports 5.x signature format which enables ips to support signatures with encrypted parameter values and more functions (But this is not backward compatible w/ previous version).
  For more information, please check Cisco.com at http://www.cisco.com/en/US/products/ps6634/products_ios_protocol_group_home.html
  Also please check the white paper and Q&A section.
  Thanks,
  -Chris

• Manually configuring ASA modules vs discovering them

  We're starting to deploy ASA now to replace some aging / end of life devices (PIX and IDS sensors).  Once the network admins set up the required IDS module(s) etc. on the ASA, I can then configure each of them as reporting devices in MARS (I can also discover the individual settings on the IPS e.g. virtual sensors ).  Basically looks just like an IPS v7 box.
  Question: should I first set up the ASA itself in MARS, and then use the discover feature top-down for MARS to uncover the IPS, firewall modules etc. -  as opposed to configuring each module individually as a reporting device in MARS?  Aside from the add'l effort required, are there any distinct advantages or issues with one method vs the other?  What are the gotcha's if we ignore the ASA (from MARS perspective) and treat all modules individually - i.e. MARS would have no knowlege of the ASA itself, and considers the modules to be all "stand alone" in that respect...?
  hope that makes sense
  thanks

  Hello,
  You could use either methods and both of them are absolutely fine. There are no specific gotchas if you add the modules individually just that it is a little more work and it is absolutely fine to have the modules configured individually on the MARS.
  Hope this clarifies!!
  Thanks,
  --Sunil

• How to Support IDS in ASA 5505 and 5520?

  Dear All;
  we have the following HW configuration for the ASA 5505 and ASA 5520, We need to add the Intrusion Detection System (IDS) functionality to both ASA. My question is: what is/are the  module(s) required to support this function, and what is the deference between IPS and IDS, does the the same Module do the both functionality?
  Part No
  Description
  QTY
  ASA5505-BUN-K9
  ASA 5505   Appliance with SW  10 Users  8 ports  3DES/AES
  1
  CON-SNT-AS5BUNK9
  SMARTNET   8X5XNBD ASA5505-BUN-K9
  1
  SF-ASA5505-8.2-K8
  ASA 5505 Series   Software v8.2
  1
  CAB-AC-C5
  AC Power Cord   Type C5 US
  1
  ASA5500-ENCR-K9
  ASA 5500 Strong Encryption License (3DES/AES)
  1
  ASA5505-PWR-AC
  ASA 5505 AC   Power Supply Adapter
  1
  ASA5505-SW-10
  ASA 5505 10   User software license
  1
  SSC-BLANK
  ASA 5505 SSC   Blank Slot Cover
  1
  ASA-ANYCONN-CSD-K9
  ASA 5500   AnyConnect Client + Cisco Security Desktop Software
  1
  Part No
  Description
  QTY
  ASA5520-BUN-K9
  ASA 5520   Appliance with SW  HA  4GE+1FE  3DES/AES
  2
  CON-SNT-AS2BUNK9
  SMARTNET   8X5XNBD ASA5520 w/300 VPN Prs 4GE+1FE3DES/AES
  2
  ASA5520-VPN-PL
  ASA 5520 VPN Plus 750 IPsec User License (7.0 Only)
  2
  ASA-VPN-CLNT-K9
  Cisco VPN   Client Software (Windows Solaris Linux Mac)
  2
  SF-ASA-8.2-K8
  ASA 5500 Series   Software v8.2
  2
  CAB-ACU
  AC Power Cord (UK) C13 BS   1363 2.5m
  2
  ASA-180W-PWR-AC
  ASA 180W AC   Power Supply
  2
  ASA5500-ENCR-K9
  ASA 5500 Strong Encryption License (3DES/AES)
  2
  ASA-ANYCONN-CSD-K9
  ASA 5500   AnyConnect Client + Cisco Security Desktop Software
  2
  SSM-BLANK
  ASA/IPS SSM   Slot Cover
  2
  Thanks in advance.
  Rashed Ward.

  Ok, I was not quite correct in my first post.
  Those modules - only modules available for corresponding ASA models.
  They all may act as IPS (inline mode) or IDS (promiscuous mode), depending on how you configure your policies.
  When it acts like IPS, ASA directs all traffic through the module, so all the traffic is inspected and can be dropped inline if some signature fires.
  When it acts as an IDS, ASA just copies traffic to the module for inspection, but actual traffic flow is not affected by the module, as it's not inline in this case.
  Plus, those modules may be comdination of both modes. I.e. some traffic might be inspected inline, when some other (more sensitive) traffic can be inspected in promiscuous mode.
  To understand this better, get familiar with this link:
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/modules_ips.html

• Need help with LAN Architecture - ASA/IPS, and ISR placement

  Dear friends, I am new to Cisco community, had no previous experience with managed networks and desperately need an advice setting up a LAN for my small business. Here is what I did so far:
  ASA w IPS is facing internet, has a webserver connected to DMZ and then ISR on the inside interface. ISR is used for running CCME/CUE VOIP and VLAN NAT. Switch is connected to the ISR with a trunk interface. I setup multiple VLANs with ACL to separate engineering/management/sales/fileserver. Inter VLAN routing is enabled on the switch to allow Gigabit routing from the Fileserver VLAN to the Engineering VLAN.
  I know this is probably overkill for a 4 people company, but my objective is to be ready for possible attacks form both outside and inside and to ensure business continuity and minimal service interruptions.
  My question, would it be more practical to connect ASA directly to the switch and do VLAN NAT on the ASA instead of the router? This way if router fails, I loose VOIP but not Internet and if ASA fails, I only loose internet, while phones will stay operational. This approach should also let me use ASA IPS to monitor inter VLAN traffic, so if 1 of the user PCs gets infected, hopefully IPS will contain the damage to a single VLAN.
  What would experienced network architect do in my case? Any suggestions?
  Please, forgive me if I misunderstood something or did something silly, as this is my first network setup (not including household grade routers)
  Thank you very much in advance!

  Thank you for your response!
  I still keep debating if it has any advantages to use a Router in between ASA and the switch, or should I connect switch directly to
  ASA, so the only function of the router is to run VOIP?
  I saw multiple network diagrams which all had a border router, then ASA then switches. In my case router runs VOIP and I would want it to be behind ASA. Any benefits of running internet traffic through both ASA and a router?
  For redundancy, we can’t really afford 2nd ASA at this time, for now I would want to make sure there is as little chance as possible that both phones and internet go out simultaneously. 

• Do I need IOS firewall feature set on Catalyst 6500 for FW blade?

  Hi all,
  If I install a FW blade in Cat6500, should I need to have the IOS firewall feature set on Cat6500 itself?
  Thanks and Regards,
  mak

  Nope.
  The FWSM uses it's own OS based on PIX OS. While it uses SVIs configured in the MSFC, it otherwise runs autonomously from the Sup and MSFC, even in Native mode.
  Let me know if this helps by rating the post.
  Michael

• Does ASA Service Module on 6509-E support Remote Access VPN ?

  I'm having a problem configuring Remote Access VPN (SSL, Anyconnect ect.) on ASA Service Module on 6509-E. Is this even supported  or am i wasting my time trying to make something work which will not work in a first place :) ? Site-to-Site works without any problems.
  Tech Info:
  6509-E running SUP 2T 15.1(2)SY
  ASA Module - WS-SVC-ASA-SM1 running image - asa912-smp-k8 & asdm-712
  Licenses on ASA:
  Encryption-DES - Enabled
  Encryption-3DES-AES  -Enabled
  Thanks in Advance for support.

  Are you running multiple context mode?
  If you are, remote access VPN is not supported in that case:
  "Note Multiple context mode only applies to IKEv2 and IKEv1 site to site and does not apply to AnyConnect, clientless SSL VPN, the legacy Cisco VPN client, the Apple native VPN client, the Microsoft native VPN client, or cTCP for IKEv1 IPsec."
  Reference.

• What does the core crypto kernel module in IOS comprise off?

  What does the core crypto kernel module in IOS comprise off? Basically trying to figure out if the new iphone & ipads are FIPS 140-2 compliant. (iphone 5 or 6 & ipad 3rd gen and above). Apple and NIST state that the Apple IOS core crypto kernel module v4.0 is validated FIPS 104-2 BUT what we don't know is that whether the core crypto kernel module covers the complete device or just some pieces and modules of the device ?

  msohailc wrote:
  What does the core crypto kernel module in IOS comprise off
  Doubtful anyone here would know that as we don't work for Apple and know nothing more than what Apple has made public in their FIPS documentation.,

• Service module upgrade

  I have a question sometimes someone knows how to upgrade the IOS of the service module ?
  With best regards

  The Release Notes of every IOS/IOS-XE contains detailed instructions on how to upgrade the firmware.  

• Can LMS 3.2 manage cisco SM-ES3-24-P which is a switch/router module inserted into a 3945 Router?

  LMS 3.2 on Solaris 10
  LMS properly manages our 3950 routers, but we recently installed a cisco SM-ES3-24-P (PowerPC405) processor. This is managed via it's own IP address. I recently added this to our LMS system and ran an update inventory job. The job succeeded, see attachement, however the device is still listed as Unknown. I recently updated all RME device packages, about two weeks ago. I'm assuming there isn't a device package for this type of module yet?
  Thanks,

  Hi,
  These kinds of Modules are supported in LMS 3.2 as per the below link . Check this link and look for -->
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.2/device_support/table/lms32sdt.html
  1.3.6.1.4.1.9.1.1053
  It also mentioned what should be the minimum IOS version and this module is supported for what functionality in CiscoWorks.
  Thanks,
  Gaganjeet