10-13-2011 12:03 AM - edited 03-10-2019 05:30 AM
Hi,
I have an ASA 5510 with the AIP-SSM-10 and would like to use just as an IDS in promicuous mode.
ASA 5510 : ASA version 7.0 (8)
AIP-SSM-10: IPS version 6.0(5)E2
At this point, we would like to configures a single ASA interface to send traffic to the AIP for IDS inspection (and continue to use our existing third-party firewalls). Is it possible?
The following discussion suggests that it is not:
https://supportforums.cisco.com/message/957351
I have configured 22.1.100.2/28 on interface Eth0/0 (outside) and 10.5.100.3/24 on the AIP-SSM management interface and switchports (Cisco 6509) have been configured with SPAN.
Thanks for your advice in advance.
Regards,
Lay
Solved! Go to Solution.
10-16-2011 06:03 PM
You are right. Unfortunately AIP module on ASA firewall does not listen on SPAN traffic. If you would like to SPAN the ports, then you would need to use IPS appliance (4200 series IPS appliance) which supports SPAN traffic to be inspected.
PIX is also a firewall, not an IPS device, hence can't be used as an IPS device.
10-16-2011 02:48 AM
Yes, the discussion that you point to is correct.
The traffic is actually sent from the ASA to the AIP module via the backplane, not via an external interface, therefore the traffic that you would like to pass through the AIP module needs to pass through the ASA as well whether the ASA is configured in transparent or routed mode.
And yes, the AIP module can be configured in promiscuous mode.
10-16-2011 05:41 PM
Hi Jenn,
Thanks very much for that. I understand the traffic is not sent to the AIP module via an external interface but was wondering if I can just connect ASA outside interface to SPAN port (destination) to receive a copy of network traffic and connect external/internal interface of our external router (third-party) to SPAN port (source), and will tell ASA to send all traffic to AIP module (IPS/IDS) in promiscuous mode.
Would you please advise if that is true for all versions of ASA? (That link was posted from 2001.) Or would it be possible to just listen, detect or monitor the network traffic with dedicated Cisco IPS device 4200 or with older PIX (in which IPS is not an additional module)?
Thanks very much again for your advice.
Regards,
Lay
10-16-2011 06:03 PM
You are right. Unfortunately AIP module on ASA firewall does not listen on SPAN traffic. If you would like to SPAN the ports, then you would need to use IPS appliance (4200 series IPS appliance) which supports SPAN traffic to be inspected.
PIX is also a firewall, not an IPS device, hence can't be used as an IPS device.
10-16-2011 07:29 PM
Hi Jenn,
Thanks very much for confirming that. I was just trying to see if I can get it listen on Layer 2 mode utilizing SPAN as a workaround, it doesn't look like working on simply testing on signatures 2000/0 and 2004/0. But it makes sense.
I will need to start look where the ASA can be put in the edge network to cover all, and that would be an interesting project.
Thanks again for your advice.
Regards,
Lay
10-16-2011 07:47 PM
Cheers, all the best with your project.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide