cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3370
Views
5
Helpful
6
Replies

ASA 5525x, ASA CX 9.2 IPS Filtering

pstratiev
Beginner
Beginner

Hello,

Recently a client migrated to ASA 5525x, ASA OS 9.1(1). The task now is to implement Intrusion Prevention System and keeping the ASA CX module. From what I've read do far both software modules IPS and CX can't run simultaneously on one ASA, so my first question is "Is that true?".

Also I see that the ASA CX 9.2(1.1) Build 48 is the first release that offers IPS Filtering. Anyone knows how close is that CX feature to the actual IPS module? I can't find anything spesiffic on that matter. In the release for "ASA CX and Cisco Prime Security Manager 9.2" it's said: " Next Generation IPS filtering is a separately-licensed service...". Does that means that if I upgrade to ASA CX 9.2 the IPS Filtering won't be enabled? What kind of license is needed if that is the case?

The bottom line question is if there is a different way to achieve keeping both CX and IPS, other than run the ASA CX on the firewall and adding separate IPS device to the network.

Thank you in advance.

1 Accepted Solution

Accepted Solutions

cjguinn
Beginner
Beginner

Release Notes for 9.2 go into the features.

http://www.cisco.com/c/en/us/td/docs/security/asacx/roadmap/asacxprsm_new_features.html#wp43613

The Data Sheet Tells you which part number to order:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-701659.html

I ordered L-ASA5525-AW5Y= previously and wanted to add the NG IPS piece to this.  I was told to order L-ASA5525-IPS-SSP.  That is NOT the correct part number as you point our the CX module and IPS module can not run simultaneously.

The data sheet only has AVC and WSE or AVC, WSE, IPS.  Not individual licenses.  So IF you have already ordered the AVC and WSE piece of this I am not sure what part number you need to order to add only the IPS, but the NG IPS will be on the CX module.

So yes you can run AVC, WSE, and IPS on the CX module without purchasing an additional IPS.

CJ

View solution in original post

6 Replies 6

Naveen Kumar
Enthusiast
Enthusiast

As of now you can run CX or IPS but not both.

in the new release 9.2 talk about support IPS filtering..

http://www.cisco.com/en/US/partner/docs/security/asacx/roadmap/asacxprsm_new_features.html

Yes, I've read the document and the second paragraph in my question is regarding its contents.

This is what we purchased, an ASA with the 120 SSD and the IPS Service license for the CX module:

ASA5512-SSD120-K9

L-ASA5512-IP1Y=

 

However, we had intended to buy the classic IPS module, but were told to get this instead by our vendor.  We in the process of trying to figure out which is best for our client who only wants IPS.

Hi,

 

The CX IPS (Next Generation IPS) is completely different from the classic IPS SSP. It offers fewer threat signatures (800 as of today), it can't be managed through IDM, IME or CSM and offers no signature customization options. 

The only option which can be controlled is if is "on" or "off" globally, and for a specific policy. Moreover, there is little to no documentation available.

 

Radu

cjguinn
Beginner
Beginner

Release Notes for 9.2 go into the features.

http://www.cisco.com/c/en/us/td/docs/security/asacx/roadmap/asacxprsm_new_features.html#wp43613

The Data Sheet Tells you which part number to order:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-701659.html

I ordered L-ASA5525-AW5Y= previously and wanted to add the NG IPS piece to this.  I was told to order L-ASA5525-IPS-SSP.  That is NOT the correct part number as you point our the CX module and IPS module can not run simultaneously.

The data sheet only has AVC and WSE or AVC, WSE, IPS.  Not individual licenses.  So IF you have already ordered the AVC and WSE piece of this I am not sure what part number you need to order to add only the IPS, but the NG IPS will be on the CX module.

So yes you can run AVC, WSE, and IPS on the CX module without purchasing an additional IPS.

CJ

cjguinn
Beginner
Beginner

this link is somehting I stumbled across that will address the IPS licensing piece for the CX

https://supportforums.cisco.com/sites/default/files/legacy/8/9/7/15376798-Cisco%20ASA%20NGFW%20Cheat%20Sheet.pdf

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers