https://community.cisco.com/t5/network-security/ips-4200-sensors-behind-cisco-pix/m-p/712435#M88227 <HTML><HEAD></HEAD><BODY><P>Agree, it's far better option (I overlooked at the two ipsboxes).</P></BODY></HTML> Mon, 27 Nov 2006 09:40:00 GMT a.kiprawih 2006-11-27T09:40:00Z https://community.cisco.com/t5/network-security/ips-4200-sensors-behind-cisco-pix/m-p/712431#M88219 <P>Hello all,</P><P></P><P>I've two Cisco PIX firewalls configured as failover pair in active/passive fashion. I want to deploy two IPS 4235 inline mode sensors behind those firewalls.</P><P></P><P>What would be the connectivity looks like?! </P><P></P><P>I know that there is a layer 2 switch must exists to terminate all the devices legs on it. what else should be performed in addition configuring the inline pair?</P><P></P><P>Please advise.</P><P></P><P>Thx</P><P></P><P>Turbo</P><P></P> Sun, 10 Mar 2019 10:20:30 GMT https://community.cisco.com/t5/network-security/ips-4200-sensors-behind-cisco-pix/m-p/712431#M88219 turbo_engine26 2019-03-10T10:20:30Z https://community.cisco.com/t5/network-security/ips-4200-sensors-behind-cisco-pix/m-p/712432#M88221 <HTML><HEAD></HEAD><BODY><P>It depends. It will be easier if you have dedicated hub/switch to use, or a switch with enought ports to host L2 Vlans for Outside and Inside segments to be protected by IPS.</P><P></P><P>With dedicated hub/switch:</P><P></P><P>Router &lt;-&gt; IPS Pair#1 &lt;-&gt; outside:PIX (Active &amp; Standby):inside &lt;-&gt; IPS Pair#2 &lt;-&gt; internal network</P><P></P><P>IPS Pair#1: port 1 to Router, port2 to hub</P><P>IPS Pair#2: port 3 to Router, port4 to hub</P><P></P><P>For single switch to host both IPS inline pairs:</P><P><A class="jive-link-custom" href="http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddcd38e" target="_blank">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddcd38e</A></P><P></P><P></P><P>However, eventhough you have redundant firewall, bear in mind that using single switch can be a single point of failure.</P><P></P><P>HTH</P><P>AK</P><P></P><P> </P><P></P></BODY></HTML> Sun, 26 Nov 2006 19:10:40 GMT https://community.cisco.com/t5/network-security/ips-4200-sensors-behind-cisco-pix/m-p/712432#M88221 a.kiprawih 2006-11-26T19:10:40Z https://community.cisco.com/t5/network-security/ips-4200-sensors-behind-cisco-pix/m-p/712433#M88223 <HTML><HEAD></HEAD><BODY><P>BTW, the 2xIPS in the diagram is only a logical separation based on inline pair for Outside and Inside firewall segments. Physically, it's still a single box.</P></BODY></HTML> Sun, 26 Nov 2006 19:13:03 GMT https://community.cisco.com/t5/network-security/ips-4200-sensors-behind-cisco-pix/m-p/712433#M88223 a.kiprawih 2006-11-26T19:13:03Z https://community.cisco.com/t5/network-security/ips-4200-sensors-behind-cisco-pix/m-p/712434#M88225 <HTML><HEAD></HEAD><BODY><P>Hi ..</P><P></P><P>would not be better to use the second IPS as redundant by connecting it between the Core and the Inside interface of the Firewalls instead of using one IPS on the outside to monitor packets which could be dropped by the ASAs anyway ..</P><P></P><P>just a thought !!!</P><P></P><P></P></BODY></HTML> Mon, 27 Nov 2006 02:24:14 GMT https://community.cisco.com/t5/network-security/ips-4200-sensors-behind-cisco-pix/m-p/712434#M88225 Fernando_Meza 2006-11-27T02:24:14Z https://community.cisco.com/t5/network-security/ips-4200-sensors-behind-cisco-pix/m-p/712435#M88227 <HTML><HEAD></HEAD><BODY><P>Agree, it's far better option (I overlooked at the two ipsboxes).</P></BODY></HTML> Mon, 27 Nov 2006 09:40:00 GMT https://community.cisco.com/t5/network-security/ips-4200-sensors-behind-cisco-pix/m-p/712435#M88227 a.kiprawih 2006-11-27T09:40:00Z