Hello,
Came accross a slighly different and odd design today. Customer had:-
Internet----ASA(x2)----Internal Network
They now have purchased an IPS applaince and their proposed design looks like this:-
Internet----ASA(x2)----ASA5515-IPS-K9-----Internal Network
Sole Objective: Introduce Intrusion Prevention functionality to meet compliance requirements
Im trying to thrash out a design to allow traffic to be inspected by the IPS module within that second firewall (ASA5515-IPS-K9) however not use the ASA Firewall feature as it is not needed due to the policy being on the upstream ASAs - so basically just use the IPS.
Im not sure what's the best way to do this. Ideally removing the first pair of firewalls would be an option, it also would ease the burden on management however Im looking for some ideas for a another method as I only have one IPS alliance at the moment so failure of it would be a problem.
Can anyone recommend a way I can pass traffic through the ASA5515-IPS-K9 straight to the IPS only? Other than a permit all security policy?
I am in a position to advise on a more suitable design but there may be (initial) budgetary constraints if a drastic design is needed
Regards,
SN