The ip address on the management interface for the sensor is 192.168.100.99. This network is isolated and is not connected to any other network including the inside network.
you need to make sure that you can ping you DG from IPS module, Does your IPS on the same network as your Inside interface ?
When setting up the sensor, it would not let me use the network which was already set up for the inside network. I had to use the management interface to gain access to sensor, but I can't get the sensor to be on the same network as the inside.
you can go under management interface do no ip address and make sure tha DG for IPS is you SVI ip address for that vlan
not the ip from management interface
outside public ip
ips 192.168.100.15/24 (DG will be 192.168.100.1)
Layer 3 Switch
VLan 10 ip 192.168.10.1/24
vlan 100 ip 192.168.100.1/24
from asa u need to add a static rout pointing to the management(even if ips is inside the asa and going thru management interface ur ASA still need to know how to reach it)
ASA(conft) route inside 192.168.100.0 255.255.255.0 via 192.168.10.1
in most of the cases you might dont need assign ip address to the management interface cuz u cam manage it even from inside just dont forget to add http 192.168.10.0 255.255.255.0 inside
Just make sure that ur DG on IPS is not a ip address of management interface n most cases removing ip address form management interface will work just fine)
TEST: login to the IPS and ping 126.96.36.199
Hope this was helpfull. let me know if you need any assistance
Thanks for your input with this. I have to say, this is getting ridiculous, I don't understand why the time between the IPS and ASA just won't sync. For the ASA 5512X there is no hardware module, just software.
I couldn't add the static route, as the route to the management interface is already directly connected.
I tried to change the IPS address to a address on the inside network, it falls over and you have to fix it from the command line.
Currently the IPS and ASA clocks are about 40 seconds apart. Within the ASDM, the option to set the IPS clock is grayed out. The option to apply time to the sensor is also grayed out. Extermely frustrating.
If you view the status of the IPS sensor from the ASDM, its using the ASA clock, not the IPS!!!!!
Why is this so difficult, I think i need to talk to Cisco directly, this just shouldn't be this hard, it's setting a clock!!!
Thanks again for your help.
Sorry, I don't understand. If I remove the management IP address, how do I then control the IPS sensor? It didn't seem to let me use the inside network.
Here is the trick. No ip address on management interface but leave the ips ip. U will be reaching the ips thru management port (in this case management port will become only for ips)
If u want to use inside ip on ips then u need to do no ip address an also no nameif management
If interface marked as a management it will allow only management traffic if u unmark it it will become regular port :)