Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
3
Replies

ASA using only for IPS?

Go to solution
Volker Janusch
Level 4
Level 4

‎01-31-2008 02:31 AM - edited ‎03-10-2019 03:57 AM

Hi,

it is possible to use the ASA with IPS-Module as sensor only, located with her outside-interface on one mirrored switch-port?

Regards.

Volker

Manager DC-Networking, Automation & WLAN
Logicalis GmbH
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎01-31-2008 08:13 AM

The outside-interface is for command and control only and can not be used for monitoring.

The SSM is only able to monitor traffic passing through the ASA.

The ASA does not support connecting it's ports to mirrored switch ports either.

The closest you get is to configure the ASA is transparent mode with ACLs on each interface that permit all traffic, and then place the ASA between 2 of your existing devices. And then place a policy on the ASA to copy all packets to the SSM for promiscuous monitoring.

If you have an existing other type of firewall, then you can try placing the transparent ASA between your other firewall and your DMZ switch for example.

All traffic would be passed through the ASA, and be copied to the SSM for promiscuous monitoring.

This mode could best be described as using the ASA as a simulated Tap to send traffic to the SSM.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎01-31-2008 08:13 AM

The outside-interface is for command and control only and can not be used for monitoring.

The SSM is only able to monitor traffic passing through the ASA.

The ASA does not support connecting it's ports to mirrored switch ports either.

The closest you get is to configure the ASA is transparent mode with ACLs on each interface that permit all traffic, and then place the ASA between 2 of your existing devices. And then place a policy on the ASA to copy all packets to the SSM for promiscuous monitoring.

If you have an existing other type of firewall, then you can try placing the transparent ASA between your other firewall and your DMZ switch for example.

All traffic would be passed through the ASA, and be copied to the SSM for promiscuous monitoring.

This mode could best be described as using the ASA as a simulated Tap to send traffic to the SSM.

0 Helpful

Go to solution
rhermes
Level 7
Level 7
In response to marcabal

‎01-31-2008 12:34 PM

This is a very timely question, as Cisco is recommending the ASA-5510 as a replacement for EOL'ed 4215 sensor. I'm terribly disappointed that the ASA can be run in a promiscuous mode (like the 4215) and must be placed in line. Adding another single point of failure only diminishes overall availability and uptime.

There is no advantage to placing a promiscuous mode IDS device in-line.

0 Helpful

Go to solution
Volker Janusch
Level 4
Level 4
In response to rhermes

‎02-06-2008 02:59 AM

Yes, this is the big problem for SMB, because the big IPS-blade is too expansive. And our customer needs at first only the ips-function without the modification of his existing firewall-deployment.

Manager DC-Networking, Automation & WLAN
Logicalis GmbH
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card