We have an ASA 5510 with the AIP-SSM-10. It is a replacement for a 4215 that was setup promiscuously to sniff traffic on a switch. We want to replicate this with the ASA/AIP.
I know that the AIP can run in a promiscuous mode, but we can't find any documentation that configures a single ASA interface to send traffic to the AIP for IDS inspection.
Is this even possible? If it is, do you know where the documentation is?
Richard S. Westmoreland
Not currently possible.
The ASA-5510 itself must be deployed inline (in either routed or transparent mode).
The AIP-SSM-10 can then monitor the traffic passing through the ASA using either promiscuous or inline mode.
Customers specifically requiring promiscuous mode were encouraged to upgrade to the IPS-4240 rather than the ASA-5510/AIP-SSM-10 combination.
This is mentioned in the EOL/EOS for the IDS-4215:
Darn, thats not what I was hoping to hear.
Is it possible to have an ASA in transparent mode, with AIP in promiscuous mode, to spoof the next hop mac addresses on the opposite interface of the inline pair? I know that some transparent inline devices do this automatically and gracefully, but I've had some issues with cisco's inline IPS even when the virtual sensor is not assigned to the pair.
Yes, the closest you can make an ASA to the 4215 in promiscuous mode is to put the ASA in transparent mode and remove as much of the firewall config as possible. Here's one hint: you HAVE to have a global IP address, but it doesn't need to be anything in your network as long as you are not using it for inband management.
The ASA will proxy ARP as you have hoped.