Transparent mode with AIP-SSM-20
I currently have an ASA5510 in routed mode with an AIP-SSM-20.
There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE. This part should present no issue.
However, this will remove the IPS device, and I still want to use IPS.
So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN. The transparent ASA would be functioning strictly as an IPS appliance.
Setup would look something like this:
Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
Can the AIP-SSM still perform IPS with the ASA in transparent mode?
Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
Regards.
AFAIR, There is no problem to setup AIP in a transparent firewall.
"An ASA in transparent mode can run an AIP. In the event the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
HTH,
Marcin
Similar Messages
-
How to block p2p applications(Bittorent like) with AIP-SSM-10?
Hi,
How to block p2p application using AIP-SSM-10 working with ASA5520?AIP is on promiscuous mode.
Thanks,
SivaThere are several signatures that detect p2p, for bit torrent there is 11020.0
Yahoo triggers: 5539.0, 11200.0, 11212.0, 11217.0 & 11219.0
etc..
Some are disabled by default though so please ensure you enable the ones that you need.
If you want to block these then you will have to use event actions that work in promiscuous setup for example request block connection and tcp reset. Please note that care must be taken when using these event actions.
For more information about the event actions please refer the link below:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmevtrul.htm#wp1069467 -
Failure when FWSM in transparent mode with multiple contexts
hi experts,
We have two FWSMs working in active/standby state, configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet.
Now we have one FWSM broken and the RMA part can't arrived in short time, so we have the risk that the sencond FWSM could be failed as well. In the worst case if the two was broken or powered off simultaneously, i wonder that if the communications between multiple contexts could be ok???
thanks in advance.The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html -
ASA transparent mode with secondary IP on the router
Hi
I have
Router --- ASA (Transparent)----Switch
and just wonder if it is possible to configure secondary IP on the router interface which is connected to ASA
so there is plenty of room in terms of LAN IP range.
Or to implement this, do I have change ASA to context mode and modify configuration on the ASA?
hope I do not have to change anything on the ASA.
ThanksASA in transparant mode work as L2 device
so what ever ips u use dosent matter
u dont need to change anything in the ASA while it is in transperant mod
but be careful of what is allowed to be passed through the firewall
u can control it by ACLs
the router and the switch u have will operat in L3 as thy connected directly or nothing between them from routing and layer three prespective
so they shoud be in the same subnet VLAN and so on
good lcuk
please, if helpful rate -
Firewall Transparent Mode with IPS
Dear All,
I have network setup shown below
Router --- Firewall Transparent Mode --- cisco layer 3 switch
I am planning to implement ips. Which is the right place to put the IPS
IPS is separate hardware. Let me know on which mode IPS has to be enabled? Rgds - pramodHello,
If you have the separate hardware of IPS then, place the IPS in between Router and firewall.
you can use the IPS in inline and promiscuous mode.
In inline mode all traffic will pass through the IPS first then after inspection will move to firewall.
And if you are using the IPS in promiscuous mode then the copy of traffic will send to the IPS and after that inspection will done.
Thanks. -
Hi all.
I config my content engine 7305 with configurations:
CE(config)# wccp version 2
CE(config)# wccp router-list 1 10.10.10.1
CE(config)# wccp web-cache router-list-num 1
And with router:
Router(config)# ip wccp web-cache
Router(config)# interface Serial0
Router(config-if)# ip wccp web-cache redirect out
Address Router: 10.10.10.1/24
Address CE: 10.10.10.2 /24
Client1 connect internet with url: http://www.vnexpress.net
Client2 connect the same URL many times.
But when I use: sho statistic http saving
The hit is a little.(1 hit)
The miss is alot. (49 miss)
So I don't understand the ContentEngine work perfect or not????
Help me, plz
ThanksYou should check to see if your CE and router see each other.
CE "show wccp routers" - you should see the ID of your router you have configured.
Router "show ip wccp web-cache view"
If that doesn't work you can turn on debug
"debug ip wccp packets" and see the request/response sequence
.Jun 16 17:46:26: WCCP-PKT:S00: Received valid Here_I_Am packet from 10.1.1.1 w/rcv_id 00000844
.Jun 16 17:46:26: WCCP-PKT:S00: Sending I_See_You packet to 10.1.1.1 w/ rcv_id 00000845 -
Using ASA5510 AIP-SSM in IDS mode
Hi,
I' ve a Cisco ASA5510 with AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
without the traffic passing through the Firewall.
I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit all the traffic to the Sensor but it doesn't work, no packet recived on sensor.
somebody can help me?
thanksUnfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
- Bob -
AIP-SSM Configuration Maintenance in Active Stdby modes
So, I'm pretty new to the AIP-SSM but not to ASA's. It appears that very little of the AIP module config gets copied over to the Stdby AIP, nothing other than what appears in the ASA config (ACL's, etc.). So, do all the config elements particular to the module itself have to be manually reproduced on the Stdby module, either by hand entry or config copies moved between the two?
So in Active/Standby scenarios with AIP-SSM, what is the reasoning for not having a feature for automatically copying over module config changes as with the ASA config?
If there is no good reason, is it on the AIP-SSM road map to provide this feature?
This can be a real pain in the arse for complex IPS configs. You have to do everything twice, and right away, so you won't miss anything should the ASA'a flip. -
Hi everybody!
I have ASA5520 version 8.2(1) with AIP-SSM-20 module
and I want to upgrade AIP-SSM-20 software from version 6.1(3)E3 to 7.0(2)E4
I go to the download site and see the following list:
Intrusion Prevention System (IPS) Recovery Software:
IPS-K9-r-1.1-a-7.0-2-E4.pkg
Release Date: 29/Mar/2010
IPS Recovery Image File
Intrusion Prevention System (IPS) Signature Updates:
IPS-sig-S481-req-E4.pkg
Release Date: 31/Mar/2010
E4 Signature Update S481
Intrusion Prevention System (IPS) System Software:
IPS-SSM_20-K9-sys-1.1-a-7.0-2-E4.img
Release Date: 29/Mar/2010
IPS-SSM_20 System Image File
Intrusion Prevention System (IPS) System Upgrades
IPS-K9-7.0-2-E4.pkg
Release Date: 29/Mar/2010
IPS 7.0 Major Upgrade File (All Supported Platforms Except AIM-IPS and NME-IPS)
IPS-engine-E4-req-7.0-2.pkg
Release Date: 29/Mar/2010
IPS E4 Engine Update
I am somewhat confused by the number of files and want to ask what the procedure/sequence I should follow to upgrade?This is the file that you would like to use to upgrade it:
Intrusion Prevention System (IPS) System Upgrades
IPS-K9-7.0-2-E4.pkg
To upgrade:
1) Upload the "IPS-K9-7.0-2-E4.pkg" file through IDM
2) IDM --> Configuration --> Sensor Management --> Update Sensor --> choose Update is located on this client --> choose the "IPS-K9-7.0-2-E4.pkg" file --> hit the "Update Sensor" button.
It will take a while (around 20 minutes) to upgrade the sensor, so don't panic if it doesn't come back up in "UP" status straight away.
Hope that helps. -
AIP-SSM configuration / blocking SMTP
Hi all,
I need some help regarding a deployment of a IPS module on a ASA. I configured it in transparent mode, with the intention to only monitor the traffic going through the module. Otherwise after aplying the policy and put it in operation, it started blocking SMTP and ICMP traffic. Here follows the configuration applied to it:
class-map outside-class
match any
policy-map outside-policy
class outside-class
ips promiscuous fail-open
service-policy outside-policy interface outside
Is there anything else I should consider to put this module just monitoring the traffic instead of having it denying any traffic?
Thanks in AdvanceYou may need to create an access-list permitting all traffic, and then apply the access-list to both interfaces in both directions (in and out).
This will ensure connections can go from the lower security zone to the higher as well as from the higher security zone to the lower.
You may also need to add icmp permit lines to permit icmp traffic through each interface. -
Remote Connectivity Issues to AIP-SSM-10
Hi,
I have a ASA-5520 with AIP-SSM Module in it. I have done the basic "setup" on the module and assigned it an IP address. I am using IME to connect to the IPS module. The ASA-IPS is at a remote location and has a private IP address. I have a linux server in the same subnet as the IPS IP address. I am connecting to that server remotely through SSH and doing port forwarding to connect to IPS IP address. When I start IME and connect to the locally forwarded port it connects to my IPS module perfactly fine. Please see the attached screen capture "IME_IPS_Error-1.gif" and the column where it says "event status : connected". So far so good, now I click on "configuration" tab and I get an error, please see the "IME_IPS_Error-2.gif" for the error detail. Can anyone send me some pointers to resolve this issue?
ThanksI was able to resolve the issue. Earlier (when I had trouble) I was doing a port forwarding as localhost:10031=>IPS:443 and IME was connecting to localhost:10031. So I was getting to the IPS/IME home page and the device status was connected but when I clicked on "Configuration" tab I got error.
To resolve the issue I did the port forwarding as follows:
127.0.0.102:443=>IPS:443 and then IME was connecting to 127.0.0.102:443 and everything worked fine. Looks like earlier when I clicked on "Configuration" it tried/redirected to connect to localhost:443 intead of localhost:10031. I have attached the network diagram and the screen captures of the resolution. -
For how long ASA with AIP 20 keeps events?
I have ASA5520 with AIP SSM 20 and I am using IPS Manager Express. For how long can AIP keep IPS events? How can I save events before the logs are recycled?
Thanks in advanceHave a look at the following post:
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&topicID=.ee6e1fc&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dde8f9b
Please rate helpful posts.
Also please note that IME has its own database (on the PC where its installed).
Regards
Farrukh -
I have been quoted for a ASA 5520 with AIP-SSM-20 and one with AIP-SSM-10 what is this?
ThanksAndy
This link has a chart which provides some information and some comparisons of the various models:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
Based on the description I would think that the -10 would be sufficient for your requirements.
HTH
Rick -
ASA5510 - LACP in Transparent Mode
Hello all,
I understand that in transparent mode an ASA5510 would only be able to have two interfaces, inside and outside.
My question is could one of those logical interfaces be an LACP'd interface, made up of two physical interfaces. Topology below.
I understand that the router and ASA5510 are SPOF here, so it is a bit of a moot point, but we're connecting already existing infrastructures together!
|-------–---| |---------|
| Switch 1 |------| |
|-----------| | ASA5510 | |----------|
| | | (transp |---------| Router |
|-------–---| | mode) | |----------|
| Switch 2 |------| |
|-----------| |---------|Configuring Cisco ASA Service Appliance in Transparent Mode with vPCSince Release 8.4, Cisco ASA 5500 Series Adaptive Security Appliance solution supports Link Aggregation ControlProtocol (LACP). ASA port-channel contains up to eight active member ports.Supported LACP modes are: ACTIVE, PASSIVE, and ON (ON means manual ports bundling i.e not using dynamicport-channeling control protocol).ASA can be configured in transparent or routed mode. Both modes are supported when integrating ASA with CiscoNexus 7000 Series vPC.
http://www.cisco.com/en/US/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf
Page 87-88 -
Cisco 2960S Configured in Transparent mode
I have a Cisco 2960S gig switch configured in transparent mode with multiple vlans configured. I have printers that I can ping, the ports shows up but on the printer it says offline. Any idea what could be causing this?
If your printer and your PCs are all in the same subnet and only the printer is not working then VTP mode Transparent has nothing to do with your issue.
I'd be keen to know if you have a firewall blocking anything from the IP address of the printer? Maybe the IP subnet mask or default gateway of the printer is not working?
What do you get when you do a "sh mac-address interface <PRINTER port>"?
Maybe you are looking for
-
Can I use two Time Capsules? one as an extension of my laptop (for music and video storage) and the other one to back up everything from the laptop and Time Capsule (for music and videos)
-
Help installing Snow Leopard without DVD drive
Hi all, I've seen this question posted before but the solutions are not working for me. I have a MacBook Pro running 10.4.11. I bought the 10.6.3 Snow Leopard Install DVD from Apple but my DVD reader just keeps ejecting it, lens must have died. My
-
Steps required for Sender IDOC adapter PI 7.0
Hi all, My basis guy has installed SAP EHP1 for PI7.0 for handling the idoc packaging(sending idocs in packs)... Please can any one let me know the further settings required in PI after it has been installed... and even when i open the sender IDOC in
-
1.can we install these five different applications (erp,crm,scm,srm,plm) in five different boxes and total landscape can be monitored by solman?
-
Why do some ipod cases have two holes on the top
Why do some ipod cases have an extra hole next to the camera hole?