Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
875
Views
10
Helpful
3
Replies

ASA and AIP module, promiscuous and NOT inline

RichardSW
Level 1
Level 1

‎08-25-2008 10:01 AM - edited ‎03-10-2019 04:15 AM

We have an ASA 5510 with the AIP-SSM-10. It is a replacement for a 4215 that was setup promiscuously to sniff traffic on a switch. We want to replicate this with the ASA/AIP.

I know that the AIP can run in a promiscuous mode, but we can't find any documentation that configures a single ASA interface to send traffic to the AIP for IDS inspection.

Is this even possible? If it is, do you know where the documentation is?

Thanks,

Richard S. Westmoreland

Labels:
0 Helpful
3 Replies 3

marcabal
Cisco Employee
Cisco Employee

‎08-25-2008 10:10 AM

Not currently possible.

The ASA-5510 itself must be deployed inline (in either routed or transparent mode).

The AIP-SSM-10 can then monitor the traffic passing through the ASA using either promiscuous or inline mode.

Customers specifically requiring promiscuous mode were encouraged to upgrade to the IPS-4240 rather than the ASA-5510/AIP-SSM-10 combination.

This is mentioned in the EOL/EOS for the IDS-4215:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps5367/end_of_life_notice_for_cisco_ids_4215_sensor.html

RichardSW
Level 1
Level 1
In response to marcabal

‎08-25-2008 10:39 AM

Darn, thats not what I was hoping to hear.

Is it possible to have an ASA in transparent mode, with AIP in promiscuous mode, to spoof the next hop mac addresses on the opposite interface of the inline pair? I know that some transparent inline devices do this automatically and gracefully, but I've had some issues with cisco's inline IPS even when the virtual sensor is not assigned to the pair.

0 Helpful

rhermes
Level 7
Level 7
In response to RichardSW

‎08-25-2008 01:18 PM

Yes, the closest you can make an ASA to the 4215 in promiscuous mode is to put the ASA in transparent mode and remove as much of the firewall config as possible. Here's one hint: you HAVE to have a global IP address, but it doesn't need to be anything in your network as long as you are not using it for inband management.

The ASA will proxy ARP as you have hoped.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card