topic Re: Configure to Integrate Cisco ASA and IDSM in Network Security

Configure to Integrate Cisco ASA and IDSM

rdilliraj — Sun, 10 Mar 2019 12:09:48 GMT

Hi,

We have Cisco ASA and IDSM, need help on integrating the same; please write to me so that I will share the architecture details.

Thanks & Regards,

Raj

Re: Configure to Integrate Cisco ASA and IDSM

Nicolas Fournier — Thu, 28 Oct 2010 16:29:39 GMT

Hi Raj,

Could you be a bit more precise on what you would like to achieve?

The only advise that I would give you for now is to put the Firewall before the IPS on the path from the Internet to your Inside Network(s).

It is better that way since we won't need to use CPU intensive inspection on traffic that will be dropped anyway by the firewall afterwards.

Apart from that, there is not much more that I can say so I'll be waiting for more info on what you would like to achieve and we'll see what we could do.

Regards,

Nicolas

Re: Configure to Integrate Cisco ASA and IDSM

rdilliraj — Fri, 29 Oct 2010 08:34:51 GMT

Hi Nicolas,

Thanks for the response;

We have ASA and IDSM2 on 6500;

Below config used to route the traffic to IDSM from ASA

In ASA

access-list ips extended permit ip any any

class-map Client_BIPS
match access-list ips
policy-map Client_ipspolicy
class Client_IPS
ips promiscuous fail-open

service-policy Client_ipspolicy interface outside
service-policy Client_ipspolicy interface DMZ-1
service-policy Client_ipspolicy interface DMZ-2

In IDSM:

service event-action-rules rules0
overrides deny-packet-inline
override-item-status Disabled
risk-rating-range 0-0
exit
overrides deny-connection-inline
override-item-status Disabled
risk-rating-range 0-0
exit
general
global-overrides-status Disabled
exit

Please let me know whether this is ok.

Thanks & Regards,

Raj

Re: Configure to Integrate Cisco ASA and IDSM

Nicolas Fournier — Fri, 29 Oct 2010 09:55:52 GMT

Hi Raj,

Unfortunately, it is not.

We can't send automatically the traffic from the ASA to the IDSM.

The commands you have on your ASA would send the traffic to the IPS module (AIP-SSM) sitting inside the firewall itself if there was any.

There is no integration between the ASA and the IDSM for traffic redirection so you'll need to configure the two devices separately.

Regards,

Nicolas

Re: Configure to Integrate Cisco ASA and IDSM

rdilliraj — Fri, 29 Oct 2010 10:46:32 GMT

Please refer attached proposed architecture;

Assuming we are configuring it in promiscous mode, attached architecture is fine.

Regards,

Raj

Re: Configure to Integrate Cisco ASA and IDSM

Nicolas Fournier — Fri, 29 Oct 2010 10:58:41 GMT

Hi Raj,

If I got your diagram correctly, you would like to send all the traffic from the Outside switch to one port of the IDSM through a SPAN and all of the traffic of your DMZ interfaces through another one.

Is this correct?

If so, can you tell me why you want to inspect the traffic before it goes through the firewall? As I told you in my original reply, we usually advise to put the IPS after the firewall.

Not to mention that in your case, I guess some traffic will be inspected twice so you'll have to assign a different virtual-sensors to each IDSM internal interfaces to make sure the same instance doesn't see the traffic multiple times.

Regards,

Nicolas

Re: Configure to Integrate Cisco ASA and IDSM

rdilliraj — Fri, 29 Oct 2010 11:56:51 GMT

Yeah you are right, thanks.

Please refer attached architecture, if I have configure in inline mode will it work.

Regards,

Raj

Re: Configure to Integrate Cisco ASA and IDSM

Nicolas Fournier — Fri, 29 Oct 2010 12:47:30 GMT

Hi Raj,

You diagram is still showing SPAN sessions while if you configure your IDSM in inline mode, it will simple act as a L2 bridge between two vlans so your diagram is not relevant for an inline setup.

Regards,

Nicolas

Re: Configure to Integrate Cisco ASA and IDSM

rdilliraj — Fri, 29 Oct 2010 12:50:36 GMT

Thanks Nicolas