ASA IPS Management

avilt · ‎11-11-2013

I have a query on ASA-5525-IPS which is a software only module.

a) Can I configure both ASA & IPS with ASDM?
b) Can I configure both ASA and IPS with single IP address instead of a separate IP for ASA/IPS management?

WSLH OIS NOC - OIS Infrastructure · ‎11-11-2013

a) While I believe you can configure the IPS side using ASDM, you will get better results using something like IME or CSM.

b) No, you will need separate IP address for the ASA and the IPS. Furthermore, the IPS will have to use the management interface; you can manage the ASA over any interface.

-- Jim Leinweber, WI State Lab of Hygiene

avilt · ‎11-11-2013

ASA-5525-IPS is a software only module & no physical management interface. So can I use the same mgmt interface from ASA for both ASA/IPS with a single IP address?

James Leinweber · ‎11-12-2013

You have to use the management interface for the IPS. You may also simultaneously use the management interface for the ASA. However, you will need an external router, as the interface has to be set for management-only for the IPS, which prevents passing traffic through the firewall to it directly. E.g. the management interface for the ASA could be 192.168.10.10/24 and the IPS could be configured with 192.168.10.11/24. The default router for 192.168.10.0/24 would have to be some other device.

Due to lack of routers in my environment, I'm managing my ASA devices through non-management interfaces, and having the IPS address share a subnet with a different ASA interface.

-- Jim Leinweber, WI State Lab of Hygiene