03-13-2013 02:29 AM - edited 03-10-2019 05:55 AM
Hi All,
Been handed one I can't work out and would appreciate some some input please. I've been trawling the Cisco docs and got the the IPS 7.1 CLI guide but not the info I need, so I'm a bot snookered.
Customer has a pair of ASA5512X with the onboard IPS's, which reside on disk0:/ on both devices, which are a failover pair.
There is a management router that we use to access the ASA's and switches - below. The ASA's with the IPS are the EdgeASA1.
As you'll see, there is a Management Vlan that is connected to all devices.
We connect via VPN client to the Management router, then SSH from their to each device as required.
The starter for 10 is...
As the ASA's are a failover pair, does this also mean that the IPS's also operate as a pair, therefore operating with a shared management IP address? I tried allocating different IP addresses to each IPS and this meant that the management router had two ARP entries with the same MAC address.
Whatever the case for the first question, I suspect that the IPS tab in ASDM is only for use with IPS modules that have their own physical interface. Can anyone confirm (or otherwise) that this is the case please?
If this is the case, it would seem therefore, that the only way to manage the IPS is via CLI.
If anyone has anything, I'd greatly appreciate it.
Many Thanks
Ali
Solved! Go to Solution.
03-14-2013 03:46 AM
The IPS can be managed only through the M0/0 inteface. The URL below describes the connection options for IPS in the ASA 55xx-X family:
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd5d03.shtml
03-13-2013 07:09 AM
Hello,
See as you only have two ips devices, Have you thought of using Cisco ips manager express?
https://supportforums.cisco.com/thread/2176686
res
Paul
Please don't forget to rate this post if it has been helpful.
03-13-2013 09:06 AM
Hi Paul,
Thanks for the reply. I might give that a go. Firstly though, I need to resolve this IP addressing issue, as I can't see the customer wanting to tweak teh config usingonly the CLI!
Thanks
Ali
03-13-2013 09:41 AM
Cisco IPS modules and appliances don't support HA. The IPS modules in your ASA pair are each its own device and must be managed separately. Also, they each have their own IP address.
As the modules in ASA 55xx-X aren't physical devices, they're managed through the common ASA Management0/0 interface as ASA itself:
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/modules_ips.html
Sent from Cisco Technical Support iPad App
03-14-2013 02:24 AM
Stojanr,
Thanks for that. I've seen the docs that relate to that and found that it has been set up not with M0/0 for management, but has used another interface.
Do you happen to know if the IPS management only applies to M0/0? i.e. it must be M0/0 to manage the IPS or can ANOther interface be used, as in this case? The interface in use has been issued the management-only command but has made no difference - I've tried removing it and re-applying it too :/
Thanks
Ali
03-14-2013 03:46 AM
The IPS can be managed only through the M0/0 inteface. The URL below describes the connection options for IPS in the ASA 55xx-X family:
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd5d03.shtml
03-14-2013 06:53 AM
Many thanks - just what I was looking for.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide