topic ASA 9.X Routed + Transparent + Active Acitve + IPS in Network Security

ASA 9.X Routed + Transparent + Active Acitve + IPS

Dumpster Eightyeight — Tue, 12 Mar 2019 01:42:29 GMT

Hi,

We are currently looking at design models for a Multi-Tenancy solution.

The firewall layer will be 2 X ASA's running 9.X to take advantage of VPN's in multiple context mode and mixed L3 and L2 contexts.

We will be delivering services through multiple L3 contexts (between 2 and 5 L3 contexts for services) and 1 transparent context for customers infrastructure who will then have virtual firewalls for NAT's and VPN's etc withing their own environment.

I am not very experienced with IPS so my query is; if we were to get an IPS license for both ASA's how would the IPS fit in, can we use it to inspect traffic for all the L3 contexts and the transparent context?

Any advice or doc's around this would be brilliant, thanks in advance

ASA 9.X Routed + Transparent + Active Acitve + IPS

Marvin Rhoads — Mon, 13 May 2013 21:47:44 GMT

In a multi-context X series ASA you use the allocate-ips command. Reference more details here.

One shortcoming is that in an ASA HA setup the two IPSs don't know about each other so you need to synchronize their configurations either manually of via policies using something like the the free IPS Manager Express (IME) tool or, for larger setups, the licensed CSM product.

ASA 9.X Routed + Transparent + Active Acitve + IPS

Dumpster Eightyeight — Tue, 14 May 2013 14:20:18 GMT

Marvin, that's brilliant thanks for the link, I have found a lot of what I need to know like the ability to create Virtual Sensors (up to 4) and being able to assign the same Virtual Sensor to more than one context so that's great.

I have noticed in my research that the max throguhput drops significantly when using IPS - for the 5525 it goes from 1Gbps - 2 Gbps down to 600Mbps.

I don't suppose you know, if I have assigned a Virtual Sensor to a transparent context where I have multiple tenants going through it, if I have one of those customers that is going through this transparent context that opts out of requiring IPS will their traffic still go through it but through a sort of pass all traffic policy and so hitting/contributing to the max 6000Mbps throughput or will their traffic not hit the IPS at all thus opening up the max throughput back to what the ASA is capable of...

Hope this makes sense!!

ASA 9.X Routed + Transparent + Active Acitve + IPS

Marvin Rhoads — Tue, 14 May 2013 15:12:03 GMT

You're welcome. Thanks for the rating.

I think once you assign a context to the IPS module you will be effectively throttling all the traffic via that context to the IPS's limit (600 Mbps on a 5525X, shared across all the assigned contexts).

ASA 9.X Routed + Transparent + Active Acitve + IPS

Dumpster Eightyeight — Wed, 22 May 2013 12:09:53 GMT

Thanks Marvin