Showing results for 
Search instead for 
Did you mean: 

ASA 5510 AIP-SSM Layer 2 Mode

Kurt Carlson
Level 1
Level 1


It has been suggested to me that I could use the ASA5510 with an AIP-SSM module to perform full IPS functions in layer 2 only mode behind a Microsoft TMG server firewall.

I don't require NAT, or any other routing function, just the IPS function.

Has anyone used the ASA like this?  Is it possible? Any suggestions?



1 Reply 1

Level 7
Level 7

Yes it's mostly possible. We run some of our ASA/AIP-SSM devices like this. The main motivation is the low cost of this bundle. You need to disable as much of the firewall functionality as possible (and some things it does you can't turn off, but they're minor).

If you were planning on making this an in-line sensor, there aren't too many drawbacks (additional ASA OS to babysit, upgrade, additional Ethernet interface for mgmt, etc). But if you wanted to use this as a promiscuous mode IDS you still need to run your traffic thru the box. There is no way to use the ASA with a span port or tap. As a result any outage of the ASA (reboot after you upgraded that OS) will result in a network outage. Reboot that IPS sensor, network outage. (unless you remove the IPS config from the ASA first = PITA).

- Bob

Review Cisco Networking for a $25 gift card