Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
1
Replies

ASA5515-IPS-K9 Integration Design Query

smoothnetworks
Level 1
Level 1

‎05-22-2013 01:52 PM - edited ‎03-10-2019 05:58 AM

Hello,

Came accross a slighly different and odd design today. Customer had:-

Internet----ASA(x2)----Internal Network

They now have purchased an IPS applaince and their proposed design looks like this:-

Internet----ASA(x2)----ASA5515-IPS-K9-----Internal Network

Sole Objective: Introduce Intrusion Prevention functionality to meet compliance requirements

Im trying to thrash out a design to allow traffic to be inspected by the IPS module within that second firewall (ASA5515-IPS-K9) however not use the ASA Firewall feature as it is not needed due to the policy being on the upstream ASAs - so basically just use the IPS.

Im not sure what's the best way to do this. Ideally removing the first pair of firewalls would be an option, it also would ease the burden on  management however Im looking for some ideas for a another method as I only have one IPS alliance at the moment so failure of it would be a problem.

Can anyone recommend a way I can pass traffic through the ASA5515-IPS-K9 straight to the IPS only? Other than a permit all security policy?

I am in a position to advise on a more suitable design but there may be (initial) budgetary constraints if a drastic design is needed

Regards,

SN

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-24-2013 03:25 PM

Hello Sr,

I would actually recommend to have a 3 FW in place ( more managment but more security is added) ..

It would be a waste to buy that chassis just to use the IPS (There are IPS sensors that only perform Intrusion Prevention taks)

You could try to apply more layers to security to your network and that would not be a problem at all,

I mean if managment already decided to go for that ASA-X box why dont you take the best of it

Hope that I could help,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card