https://community.cisco.com/t5/network-security/transparent-mode-with-aip-ssm-20/m-p/1490285#M67225 <HTML><HEAD></HEAD><BODY><P>Thank you for the info.</P></BODY></HTML> Mon, 14 Jun 2010 18:57:41 GMT smperry 2010-06-14T18:57:41Z https://community.cisco.com/t5/network-security/transparent-mode-with-aip-ssm-20/m-p/1490283#M67223 <P>I currently have an ASA5510 in routed mode with an AIP-SSM-20.</P><P>There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.&nbsp; This part should present no issue.</P><P></P><P>However, this will remove the IPS device, and I still want to use IPS.</P><P>So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.&nbsp; The transparent ASA would be functioning strictly as an IPS appliance.</P><P></P><P>Setup would look something like this:</P><P></P><P>Internal LAN &lt;&gt; transparent ASA with IPS &lt;&gt; routed ASA &lt;&gt; WAN</P><P></P><P>Can the AIP-SSM still perform IPS with the ASA in transparent mode?</P><P></P><P>Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?</P><P>I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.</P><P></P><P>Regards.</P> Sun, 10 Mar 2019 12:01:38 GMT https://community.cisco.com/t5/network-security/transparent-mode-with-aip-ssm-20/m-p/1490283#M67223 smperry 2019-03-10T12:01:38Z https://community.cisco.com/t5/network-security/transparent-mode-with-aip-ssm-20/m-p/1490284#M67224 <HTML><HEAD></HEAD><BODY><P>AFAIR, There is no problem to setup AIP in a transparent firewall.</P><P></P><P>"An ASA in transparent mode can run an AIP.&nbsp; In the event the AIP fails,</P><PRE style="margin: 0em;">the IPS will fail-open and the ASA will continue to pass traffic.<BR />However, if an interface or cable fails, then traffic will stop.&nbsp; You<BR />would need a failover pair to account for this failure event, which<BR />means another ASA and matching AIP."<BR /></PRE><P></P><P>And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744</A></P><P></P><P></P><P></P><P>What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html">http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html</A></P><P></P><P>HTH,</P><P>Marcin</P></BODY></HTML> Sun, 13 Jun 2010 09:21:01 GMT https://community.cisco.com/t5/network-security/transparent-mode-with-aip-ssm-20/m-p/1490284#M67224 Marcin Latosiewicz 2010-06-13T09:21:01Z https://community.cisco.com/t5/network-security/transparent-mode-with-aip-ssm-20/m-p/1490285#M67225 <HTML><HEAD></HEAD><BODY><P>Thank you for the info.</P></BODY></HTML> Mon, 14 Jun 2010 18:57:41 GMT https://community.cisco.com/t5/network-security/transparent-mode-with-aip-ssm-20/m-p/1490285#M67225 smperry 2010-06-14T18:57:41Z