Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3940
Views
5
Helpful
6
Replies

ASA 5525x, ASA CX 9.2 IPS Filtering

Go to solution
pstratiev
Level 1
Level 1

‎02-21-2014 05:54 AM - edited ‎03-10-2019 06:09 AM

Hello,

Recently a client migrated to ASA 5525x, ASA OS 9.1(1). The task now is to implement Intrusion Prevention System and keeping the ASA CX module. From what I've read do far both software modules IPS and CX can't run simultaneously on one ASA, so my first question is "Is that true?".

Also I see that the ASA CX 9.2(1.1) Build 48 is the first release that offers IPS Filtering. Anyone knows how close is that CX feature to the actual IPS module? I can't find anything spesiffic on that matter. In the release for "ASA CX and Cisco Prime Security Manager 9.2" it's said: " Next Generation IPS filtering is a separately-licensed service...". Does that means that if I upgrade to ASA CX 9.2 the IPS Filtering won't be enabled? What kind of license is needed if that is the case?

The bottom line question is if there is a different way to achieve keeping both CX and IPS, other than run the ASA CX on the firewall and adding separate IPS device to the network.

Thank you in advance.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cjguinn
Level 1
Level 1

‎03-07-2014 12:54 PM

Release Notes for 9.2 go into the features.

http://www.cisco.com/c/en/us/td/docs/security/asacx/roadmap/asacxprsm_new_features.html#wp43613

The Data Sheet Tells you which part number to order:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-701659.html

I ordered L-ASA5525-AW5Y= previously and wanted to add the NG IPS piece to this.  I was told to order L-ASA5525-IPS-SSP.  That is NOT the correct part number as you point our the CX module and IPS module can not run simultaneously.

The data sheet only has AVC and WSE or AVC, WSE, IPS.  Not individual licenses.  So IF you have already ordered the AVC and WSE piece of this I am not sure what part number you need to order to add only the IPS, but the NG IPS will be on the CX module.

So yes you can run AVC, WSE, and IPS on the CX module without purchasing an additional IPS.

CJ

View solution in original post

6 Replies 6

Go to solution
Naveen Kumar
Level 4
Level 4

‎02-24-2014 10:00 PM

As of now you can run CX or IPS but not both.

in the new release 9.2 talk about support IPS filtering..

http://www.cisco.com/en/US/partner/docs/security/asacx/roadmap/asacxprsm_new_features.html

0 Helpful

Go to solution
pstratiev
Level 1
Level 1
In response to Naveen Kumar

‎02-25-2014 07:09 AM

Yes, I've read the document and the second paragraph in my question is regarding its contents.

0 Helpful

Go to solution
John Butterfield
Level 1
Level 1
In response to pstratiev

‎03-26-2014 03:21 PM

This is what we purchased, an ASA with the 120 SSD and the IPS Service license for the CX module:

ASA5512-SSD120-K9

L-ASA5512-IP1Y=

 

However, we had intended to buy the classic IPS module, but were told to get this instead by our vendor.  We in the process of trying to figure out which is best for our client who only wants IPS.

0 Helpful

Go to solution
radu.ioncu
Level 1
Level 1
In response to John Butterfield

‎03-31-2014 11:28 AM

Hi,

 

The CX IPS (Next Generation IPS) is completely different from the classic IPS SSP. It offers fewer threat signatures (800 as of today), it can't be managed through IDM, IME or CSM and offers no signature customization options. 

The only option which can be controlled is if is "on" or "off" globally, and for a specific policy. Moreover, there is little to no documentation available.

 

Radu

0 Helpful

Go to solution
cjguinn
Level 1
Level 1

‎03-07-2014 12:54 PM

Release Notes for 9.2 go into the features.

http://www.cisco.com/c/en/us/td/docs/security/asacx/roadmap/asacxprsm_new_features.html#wp43613

The Data Sheet Tells you which part number to order:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-701659.html

I ordered L-ASA5525-AW5Y= previously and wanted to add the NG IPS piece to this.  I was told to order L-ASA5525-IPS-SSP.  That is NOT the correct part number as you point our the CX module and IPS module can not run simultaneously.

The data sheet only has AVC and WSE or AVC, WSE, IPS.  Not individual licenses.  So IF you have already ordered the AVC and WSE piece of this I am not sure what part number you need to order to add only the IPS, but the NG IPS will be on the CX module.

So yes you can run AVC, WSE, and IPS on the CX module without purchasing an additional IPS.

CJ

Go to solution
cjguinn
Level 1
Level 1

‎03-31-2014 10:47 AM

this link is somehting I stumbled across that will address the IPS licensing piece for the CX

https://supportforums.cisco.com/sites/default/files/legacy/8/9/7/15376798-Cisco%20ASA%20NGFW%20Cheat%20Sheet.pdf

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card