https://community.cisco.com/t5/network-security/asa-5510-aip-ssm-layer-2-mode/m-p/1856232#M55608 <HTML><HEAD></HEAD><BODY><P>Yes it's mostly possible. We run some of our ASA/AIP-SSM devices like this. The main motivation is the low cost of this bundle. You need to disable as much of the firewall functionality as possible (and some things it does you can't turn off, but they're minor). </P><P>If you were planning on making this an in-line sensor, there aren't too many drawbacks (additional ASA OS to babysit, upgrade, additional Ethernet interface for mgmt, etc). But if you wanted to use this as a promiscuous mode IDS you still need to run your traffic thru the box. There is no way to use the ASA with a span port or tap. As a result any outage of the ASA (reboot after you upgraded that OS) will result in a network outage. Reboot that IPS sensor, network outage. (unless you remove the IPS config from the ASA first = PITA).</P><P></P><P>- Bob</P></BODY></HTML> Fri, 10 Feb 2012 22:08:36 GMT rhermes 2012-02-10T22:08:36Z https://community.cisco.com/t5/network-security/asa-5510-aip-ssm-layer-2-mode/m-p/1856231#M55607 <P>Hello,</P><P></P><P>It has been suggested to me that I could use the ASA5510 with an AIP-SSM module to perform full IPS functions in layer 2 only mode behind a Microsoft TMG server firewall.</P><P></P><P>I don't require NAT, or any other routing function, just the IPS function.</P><P></P><P>Has anyone used the ASA like this?&nbsp; Is it possible? Any suggestions?</P><P></P><P>Regards,</P><P>Kurt</P> Sun, 10 Mar 2019 12:36:49 GMT https://community.cisco.com/t5/network-security/asa-5510-aip-ssm-layer-2-mode/m-p/1856231#M55607 Kurt Carlson 2019-03-10T12:36:49Z https://community.cisco.com/t5/network-security/asa-5510-aip-ssm-layer-2-mode/m-p/1856232#M55608 <HTML><HEAD></HEAD><BODY><P>Yes it's mostly possible. We run some of our ASA/AIP-SSM devices like this. The main motivation is the low cost of this bundle. You need to disable as much of the firewall functionality as possible (and some things it does you can't turn off, but they're minor). </P><P>If you were planning on making this an in-line sensor, there aren't too many drawbacks (additional ASA OS to babysit, upgrade, additional Ethernet interface for mgmt, etc). But if you wanted to use this as a promiscuous mode IDS you still need to run your traffic thru the box. There is no way to use the ASA with a span port or tap. As a result any outage of the ASA (reboot after you upgraded that OS) will result in a network outage. Reboot that IPS sensor, network outage. (unless you remove the IPS config from the ASA first = PITA).</P><P></P><P>- Bob</P></BODY></HTML> Fri, 10 Feb 2012 22:08:36 GMT https://community.cisco.com/t5/network-security/asa-5510-aip-ssm-layer-2-mode/m-p/1856232#M55608 rhermes 2012-02-10T22:08:36Z