Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
0
Helpful
4
Replies

ASA 9.X Routed + Transparent + Active Acitve + IPS

Go to solution
Dumpster Eightyeight
Level 1
Level 1

‎05-13-2013 04:56 AM - edited ‎03-11-2019 06:42 PM

Hi,

We are currently looking at design models for a Multi-Tenancy solution.

The firewall layer will be 2 X ASA's running 9.X to take advantage of VPN's in multiple context mode and mixed L3 and L2 contexts.

We will be delivering services through multiple L3 contexts (between 2 and 5 L3 contexts for services) and 1 transparent context for customers infrastructure  who will then have virtual firewalls for NAT's and VPN's etc withing their own environment.

I am not very experienced with IPS so my query is; if we were to get an IPS license for both ASA's how would the IPS fit in, can we use it to inspect traffic for all the L3 contexts and the transparent context?

Any advice or doc's around this would be brilliant, thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-13-2013 02:47 PM

In a multi-context X series ASA you use the allocate-ips command. Reference more details here.

One shortcoming is that in an ASA HA setup the two IPSs don't know about each other so you need to synchronize their configurations either manually of via policies using something like the the free IPS Manager Express (IME) tool or, for larger setups, the licensed CSM product.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-13-2013 02:47 PM

In a multi-context X series ASA you use the allocate-ips command. Reference more details here.

One shortcoming is that in an ASA HA setup the two IPSs don't know about each other so you need to synchronize their configurations either manually of via policies using something like the the free IPS Manager Express (IME) tool or, for larger setups, the licensed CSM product.

0 Helpful

Go to solution
Dumpster Eightyeight
Level 1
Level 1
In response to Marvin Rhoads

‎05-14-2013 07:20 AM

Marvin, that's brilliant thanks for the link, I have found a lot of what I need to know like the ability to create Virtual Sensors (up to 4) and being able to assign the same Virtual Sensor to more than one context so that's great.

I have noticed in my research that the max throguhput drops significantly when using IPS - for the 5525 it goes from 1Gbps - 2 Gbps down to 600Mbps.

I don't suppose you know, if I have assigned a Virtual Sensor to a transparent context where I have multiple tenants going through it, if I have one of those customers that is going through this transparent context that opts out of requiring IPS will their traffic still go through it but through a sort of pass all traffic policy and so hitting/contributing to the max 6000Mbps throughput or will their traffic not hit the IPS at all thus opening up the max throughput back to what the ASA is capable of...

Hope this makes sense!!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Dumpster Eightyeight

‎05-14-2013 08:12 AM

You're welcome. Thanks for the rating.

I think once you assign a context to the IPS module you will be effectively throttling all the traffic via that context to the IPS's limit (600 Mbps on a 5525X, shared across all the assigned contexts).

0 Helpful

Go to solution
Dumpster Eightyeight
Level 1
Level 1
In response to Marvin Rhoads

‎05-22-2013 05:09 AM

Thanks Marvin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card