Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4521
Views
0
Helpful
5
Replies

Routing woes with IPS module in ASA-5512-X

Chris Evans
Level 1
Level 1

‎08-23-2012 04:52 PM - edited ‎03-10-2019 05:45 AM

Running into what appears to be an insurmountable obstacle in this environment.

I have an ASA 5512-X in place as the edge firewall and want to use the IDS module.  The inside is 2 "flat" networks - that is, their default gateway points to the ASA itself (on 2 different interfaces).  ASA is the only Layer 3 device on premise.

IDS module is added and configured as 192.168.1.2 on the management network (ASA itself is 192.168.1.1).  Two other networks exist inside - wired and wireless.

I can reach the IDS module only if I'm directly on the management network, regardless of whether I am using ASDM directly to the IDS module or am connecting to the ASA first, then using the ASDM GUI to manage the IDS.  Latter fails if I am in a network other than the management network (appears the ASA is too stupid to correctly use the management interface - it uses the same source IP presumably).

Putting the IDS module into the wired network directly does not work - it is unresponsive to telnet, ssh and ASDM communication either directly or (in the case of ASDM) from the ASA unless it is on the management network.  This is consistent with documentation on the mac address / IP for the IPS module being off the management interface.

So, questions are:

- Essentially this means the IDS module *requires* an additional router on the inside unless I'm willing to have the user hard-wire into the management network every time he connects?  I see no other way to access/manage the device. 

- How does this affect the IDS module communication for sig updates and license checks to Cisco.com?  Even if I were to add an additional router on the inside (and hop off that to the ASA), it'd fail because the ASA would see this as a directly connected route on the return path, and drop the traffic since it won't route traffic to/from the management interface.

There has to be a better way than "slap another routing device on your network".  And even if we did with an inexpensive router, I don't see it addressing the second concern.  Am I missing something here?

Labels:
0 Helpful
5 Replies 5

Aaron S Mcquaid
Level 1
Level 1

‎08-24-2012 11:10 AM

Hello Chris,

The limitation that you mentioned is indeed a product of how the ASA is coded. You can't access the management interface of the IPS module from the inside interface of the ASA unless it is on the same subnet as the inside interface. This is a hard coded limitation.

You can do one of the following:

1. Shut down the management interface and readdress the IPS module so that it sits on the inside subnet

2. Add a router on the inside and route accordingly

3. Setup a VPN and have it terminate on the inside interface of the ASA and then use the management access command so that it points to the management interface.

With Regards,

Aaron McQuaid

0 Helpful

alex5neoh
Level 1
Level 1
In response to Aaron S Mcquaid

‎11-07-2012 01:50 AM 

Aaron S Mcquaid wrote:
You can do one of the following:
1. Shut down the management interface and readdress the IPS module so that it sits on the inside subnet

Hi,

I have the same problem with the design of this device. I dont seem to be able to acheive your point 1.

Every time I shut down the management0/0 the IPS module is not reachable on the network no matter what IP I assign it. It appears to me that the MAC address of the IPS can only live behind the management0/0.

Can anyone confirm if that is true or not? Do you have to use management0/0 or not?

0 Helpful

ccpagel
Level 1
Level 1
In response to alex5neoh

‎01-07-2013 07:29 AM

I had similar issues to you. My inside network is 172.16.22.0/24, and my management network is 192.168.1.0/24. The ASA had 192.168.1.1 and the IPS had 192.168.1.2 on the management interfaces. The IPS needed to access the internet for global correlation updates. I had a router on the internal network with interfaces in 172.16.22.0/24 and 192.168.1.0/24. The ASA and IPS used this router as their gateway, and the router had a default route via the inside interface of the ASA. In order for the IPS to get internet access I added a host route to the ASA of “route inside 172.16.28.3 255.255.255.255 172.16.22.2 1” (where 172.16.22.2 is the internal router). The ASA was already configured to dynamically NAT any inside to the outside ASA interface.

This document explains more http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to alex5neoh

‎03-14-2013 08:37 PM

Hello Alex,

Based on the document presented for the previous people you will need to determine witch will be the scenario you are trying to accomplish?

Please let us know the one you will accomplish and we will proceed with the solution, I will not post any config yet as this is an old post and I do not know if you still need help

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ali-franks
Level 1
Level 1

‎03-14-2013 05:46 AM

Hi Chris,

I'm having similar issues and had this provided to me:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd5d03.shtml

KR

Ali

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card