Re: ASA5510 and IPS module

wilson_1234_2 · ‎06-22-2008

We have an ASA 5510 with an IPS module.

Can the two be configured for access seperately?

For example someone having access to the ASDM can only view the firewall config but edit and manage the IPS module.

And the iopposite of view the IDS module and manage the firewall config.

The IPS module has its own IP Address.

Farrukh Haroon · ‎06-22-2008

Yes Wilson, just use separate passwords for each.

But just make sure both guys are good friends otherwise the IPS guy could block all traffic for the ASA guy and the ASA guy could shutdown/reset the IPS module using the CLI :)

Regards

Farrukh

wilson_1234_2 · ‎06-24-2008

We have our ASAs using AAA pointing to a TACACS server.

How would it be done in this case?

mohammed_moustafa · ‎06-25-2008

Hi Wilson,

you can add 2 user accounts to the AAA server, one is othorized to manage ASA and the other is othorized to manage IPS module. and you have to configure AAA authentication on the IPS module.

B.regards,

Farrukh Haroon · ‎06-25-2008

You can have separate usernames for IPS and ASA. To further secure this, you can use Network Access Restrictions (but they sometimes do not work well with security devices as they don't send the complete information). Also the IPS does not support AAA, so there you will have to use local database anyway (thereby isolating things).

Regards

Farrukh