https://community.cisco.com/t5/network-security/verify-ips-setup/m-p/2241052#M53776 <P>I am very new to the Cisco IPS front and have setup a ASA 5510 with the SSM-10 IPS module.&nbsp; We have one interface enabled with multiple VLANs on this interface.&nbsp; I have setup the IPS, to the best of my abilities, and I believe it is correct as inline fail open in an active/standby asa setup.&nbsp; Is there any way to verify that traffic is flowing properly to this IPS module?&nbsp; Also, the reason I mentioned out setup is because this IPS version, as I understand it, will not allow for VLAN pairs, so when I set the policy to inspect all traffic, is this traffic inspected between all VLANs.&nbsp; One other mystery is that when I view my IPS interfaces (one management and one not)&nbsp; the one that is not setup as management is showing unpaired.</P><P></P><P>I know this was a lot, so let me recap:</P><P></P><P>- How do I verify my setup is functioning as inteded where all traffic between all VLANs is being inspected.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>- Why is my non-management interface showing "unpaired"</P><P>- Looking through all the Cisco documentation, I noticed mention of "contexts"; I don't see any reference to these contexts within the IDM.&nbsp; This is just for my knowledge, but maybe necessary for the setup...I just don't know.&nbsp; </P><P></P><P>Thanks!</P> Sun, 10 Mar 2019 12:57:55 GMT Heath Mote 2019-03-10T12:57:55Z https://community.cisco.com/t5/network-security/verify-ips-setup/m-p/2241052#M53776 <P>I am very new to the Cisco IPS front and have setup a ASA 5510 with the SSM-10 IPS module.&nbsp; We have one interface enabled with multiple VLANs on this interface.&nbsp; I have setup the IPS, to the best of my abilities, and I believe it is correct as inline fail open in an active/standby asa setup.&nbsp; Is there any way to verify that traffic is flowing properly to this IPS module?&nbsp; Also, the reason I mentioned out setup is because this IPS version, as I understand it, will not allow for VLAN pairs, so when I set the policy to inspect all traffic, is this traffic inspected between all VLANs.&nbsp; One other mystery is that when I view my IPS interfaces (one management and one not)&nbsp; the one that is not setup as management is showing unpaired.</P><P></P><P>I know this was a lot, so let me recap:</P><P></P><P>- How do I verify my setup is functioning as inteded where all traffic between all VLANs is being inspected.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>- Why is my non-management interface showing "unpaired"</P><P>- Looking through all the Cisco documentation, I noticed mention of "contexts"; I don't see any reference to these contexts within the IDM.&nbsp; This is just for my knowledge, but maybe necessary for the setup...I just don't know.&nbsp; </P><P></P><P>Thanks!</P> Sun, 10 Mar 2019 12:57:55 GMT https://community.cisco.com/t5/network-security/verify-ips-setup/m-p/2241052#M53776 Heath Mote 2019-03-10T12:57:55Z https://community.cisco.com/t5/network-security/verify-ips-setup/m-p/2241053#M53777 <HTML><HEAD></HEAD><BODY><P>Hello Heat Mote,</P><P></P><P>Regarding your questions:</P><P></P><P>- How do I verify my setup is functioning as inteded where all traffic between all VLANs is being inspected?</P><P></P><P>Since you are using an IPS module,&nbsp; the traffic matched by the class configued on the ASA is the one being inspected, you can set up a capture on the dataplane Interface (Interface used to send traffic from the ASA to IPS) using this command:</P><P></P><P>capture ips int asa_dataplane buffer 15000000</P><P></P><P>Verify the capture by using:</P><P></P><P>show capture ips</P><P></P><P>The output should display packets from every VLAN.</P><P></P><P>- Why is my non-management interface showing "unpaired"?</P><P></P><P><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-indent: -28.799999237060547px; background-color: #ffffff;" width="1" /></P><P>The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do not support inline VLAN pairs. </P><P>You can associate VLANs in pairs on a physical interface. This is known as inline VLAN pair mode. Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair. Since the module only has one sensing interface, that is why it is shown as Unpaired. </P><P></P><P>The documentation is talking about "security contexts". <SPAN style="font-size: 10pt;">You can partition a single ASA into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management.</SPAN></P><P></P><P></P><P>Please rate the answer if you find it useful. </P></BODY></HTML> Fri, 17 May 2013 01:04:25 GMT https://community.cisco.com/t5/network-security/verify-ips-setup/m-p/2241053#M53777 Eddy Duran 2013-05-17T01:04:25Z