Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
824
Views
0
Helpful
1
Replies

ASA5510-AIP10 as Dedicated IPS solution?

Matt Bell
Level 1
Level 1

‎03-15-2013 11:33 AM - edited ‎03-10-2019 05:55 AM

Current setup is: Internet drop-point -> 2 ASA5505-SEC-BUN (primary/failover) -> Switch (multiple VLANs) -> machines

Can I use an ASA5510-AIP10-K9 as a dedicated IPS solution?

Can I use it in all modes?  (Promiscuous, Inline, Hybrid)

I created a few images demonstrating the different setups.  Can I do each setup?  If not, can you briefly explain why?

PowerPoint001.jpg

PowerPoint002.jpg

PowerPoint003.jpg

Labels:
0 Helpful
1 Reply 1

Velos1987
Level 1
Level 1

‎03-16-2013 05:12 PM

Hello Matt!

To be honest I am not fully understand what do you mean under "dedicated solution".

In my mind "dedicated solution" is something that stands alone of ASA and is independet from it (like 42xx/43xx/45xx appliances).

AIP module is rather "built-in" solution rather than "dedicated"

Judging by your schemas your main aim is to inspect traffic between internet edge and internal network.

All your scenarios are easy to implement: you will need to use virtual sensors feature on AIM to create two sensors for promiscuous and inline modes.

On ASA you will need to use MPF to tell ASA which traffic should go to which sensor.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/modules_ips.html#wp1088096

If you want to inspect traffic between VLANs that are behind the switch you will need to force traffic flow through the ASA (for example ASA can perform inter-vlan routing).

PS: Keep in mind that you will need two AIP modules when you use two ASA in failover. Modules also should be identical.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card