Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1009
Views
4
Helpful
6
Replies

ASA5512X and onboard IPS

Go to solution
ali-franks
Level 1
Level 1

‎03-13-2013 02:29 AM - edited ‎03-10-2019 05:55 AM

Hi All,

Been handed one I can't work out and would appreciate some some input please. I've been trawling the Cisco docs and got the the IPS 7.1 CLI guide but not the info I need, so I'm a bot snookered.

Customer has a pair of ASA5512X with the onboard IPS's, which reside on disk0:/ on both devices, which are a failover pair.

There is a management router that we use to access the ASA's and switches - below. The ASA's with the IPS are the EdgeASA1.

As you'll see, there is a Management Vlan that is connected to all devices.

We connect via VPN client to the Management router, then SSH from their to each device as required.

The starter for 10 is...

As the ASA's are a failover pair, does this also mean that the IPS's also operate as a pair, therefore operating with a shared management IP address? I tried allocating different IP addresses to each IPS and this meant that the management router had two ARP entries with the same MAC address.

Whatever the case for the first question, I suspect that the IPS tab in ASDM is only for use with IPS modules that have their own physical interface. Can anyone confirm (or otherwise) that this is the case please?


If this is the case, it would seem therefore, that the only way to manage the IPS is via CLI.

If anyone has anything, I'd greatly appreciate it.

Many Thanks

Ali

Labels:
Preview file
76 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
stojanr
Level 1
Level 1
In response to ali-franks

‎03-14-2013 03:46 AM

The IPS can be managed only through the M0/0 inteface. The URL below describes the connection options for IPS in the ASA 55xx-X family:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd5d03.shtml

View solution in original post

0 Helpful
6 Replies 6

Go to solution
paul driver
VIP
VIP

‎03-13-2013 07:09 AM

Hello,

See as you only have two ips devices, Have you thought of using Cisco ips manager express?

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5715/ps9610/data_sheet_c78-459033_ps6120_Products_Data_Sheet.html

https://supportforums.cisco.com/thread/2176686

res

Paul

Please don't forget to rate this post if it has been helpful.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
ali-franks
Level 1
Level 1
In response to paul driver

‎03-13-2013 09:06 AM


Hi Paul,

Thanks for the reply. I might give that a go. Firstly though, I need to resolve this IP addressing issue, as I can't see the customer wanting to tweak teh config usingonly the CLI!

Thanks

Ali

0 Helpful

Go to solution
stojanr
Level 1
Level 1

‎03-13-2013 09:41 AM

Cisco IPS modules and appliances don't support HA. The IPS modules in your ASA pair are each its own device and must be managed separately. Also, they each have their own IP address.

As the modules in ASA 55xx-X aren't physical devices, they're managed through the common ASA Management0/0 interface as ASA itself:

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/modules_ips.html



Sent from Cisco Technical Support iPad App

Go to solution
ali-franks
Level 1
Level 1
In response to stojanr

‎03-14-2013 02:24 AM

Stojanr,

Thanks for that. I've seen the docs that relate to that and found that it has been set up not with M0/0 for management, but has used another interface.

Do you happen to know if the IPS management only applies to M0/0? i.e. it must be M0/0 to manage the IPS or can ANOther interface be used, as in this case? The interface in use has been issued the management-only command  but has made no difference - I've tried removing it and re-applying it too :/

Thanks

Ali

0 Helpful

Go to solution
stojanr
Level 1
Level 1
In response to ali-franks

‎03-14-2013 03:46 AM

The IPS can be managed only through the M0/0 inteface. The URL below describes the connection options for IPS in the ASA 55xx-X family:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd5d03.shtml

0 Helpful

Go to solution
ali-franks
Level 1
Level 1
In response to stojanr

‎03-14-2013 06:53 AM

Many thanks - just what I was looking for.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card