Solved: ASA5510 and AIP-SSM-10 module in promiscuous mode

layhlaing · ‎10-13-2011

Hi,

I have an ASA 5510 with the AIP-SSM-10 and would like to use just as an IDS in promicuous mode.

ASA 5510 : ASA version 7.0 (8)

AIP-SSM-10: IPS version 6.0(5)E2

At this point, we would like to configures a single ASA interface to send traffic to the AIP for IDS inspection (and continue to use our existing third-party firewalls). Is it possible?

The following discussion suggests that it is not:

https://supportforums.cisco.com/message/957351

I have configured 22.1.100.2/28 on interface Eth0/0 (outside) and 10.5.100.3/24 on the AIP-SSM management interface and switchports (Cisco 6509) have been configured with SPAN.

Thanks for your advice in advance.

Regards,

Lay

Jennifer Halim · ‎10-16-2011

You are right. Unfortunately AIP module on ASA firewall does not listen on SPAN traffic. If you would like to SPAN the ports, then you would need to use IPS appliance (4200 series IPS appliance) which supports SPAN traffic to be inspected.

PIX is also a firewall, not an IPS device, hence can't be used as an IPS device.

View solution in original post

Jennifer Halim · ‎10-16-2011

Yes, the discussion that you point to is correct.

The traffic is actually sent from the ASA to the AIP module via the backplane, not via an external interface, therefore the traffic that you would like to pass through the AIP module needs to pass through the ASA as well whether the ASA is configured in transparent or routed mode.

And yes, the AIP module can be configured in promiscuous mode.

layhlaing · ‎10-16-2011

Hi Jenn,

Thanks very much for that. I understand the traffic is not sent to the AIP module via an external interface but was wondering if I can just connect ASA outside interface to SPAN port (destination) to receive a copy of network traffic and connect external/internal interface of our external router (third-party) to SPAN port (source), and will tell ASA to send all traffic to AIP module (IPS/IDS) in promiscuous mode.

Would you please advise if that is true for all versions of ASA? (That link was posted from 2001.) Or would it be possible to just listen, detect or monitor the network traffic with dedicated Cisco IPS device 4200 or with older PIX (in which IPS is not an additional module)?

Thanks very much again for your advice.

Regards,

Lay

Jennifer Halim · ‎10-16-2011

You are right. Unfortunately AIP module on ASA firewall does not listen on SPAN traffic. If you would like to SPAN the ports, then you would need to use IPS appliance (4200 series IPS appliance) which supports SPAN traffic to be inspected.

PIX is also a firewall, not an IPS device, hence can't be used as an IPS device.

layhlaing · ‎10-16-2011

Hi Jenn,

Thanks very much for confirming that. I was just trying to see if I can get it listen on Layer 2 mode utilizing SPAN as a workaround, it doesn't look like working on simply testing on signatures 2000/0 and 2004/0. But it makes sense.

I will need to start look where the ASA can be put in the edge network to cover all, and that would be an interesting project.

Thanks again for your advice.

Regards,

Lay

Jennifer Halim · ‎10-16-2011

Cheers, all the best with your project.