Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1316
Views
0
Helpful
5
Replies

ASA5525-IPS in inline mode question

Go to solution
piotr.chrusciel
Level 1
Level 1

‎01-25-2013 05:39 AM - edited ‎03-10-2019 05:52 AM

Hi Everyone.

Our client would like to buy an deploy an IPS solution in the nearest future. The IPS should scan the traffic aprox. at speed of 400-600 Mb/s on Internet Edge. In Cisco Commerce Workspace I've found an information that 4255 sensor will be withdrawn from sales and ASA5525-IPS replaces that box. But till now I cannot understand how the ASA should work in inline mode - I did not find any exact information about that.

The ASA would be placed between firewall and core switch (in HA configuration - two firewalls and core switches). At the moment the firewall have four links in LACP - through this port-channel all vlans are forwarded (lacp is acting as trunk port). During IPS deployment an additional link would be added between firewall and switch (IPS would be placed hear) and only specific vlans would be forwarded through it - in instance VLAN Id's freom 5 to 15 - five links in total would be connected between firewall and switch.

I have a problem in understanding or predicting the ASA's interfaces configuration. ASA have to scan traffic in inline mode, it can not route traffic - just bridging (pass frames from firewall<->switch - cannot modify L2 headers) and have to respond to threats.

I believe the ASA should work as transparent firewall mode, have two interfaces - inside (to switch) and outside(to firewall). To outside interface

PortChannel0/0 is assigned (here the scanning is performed according to the documentation) with only one member port (for example Gi0/0), to inside interface is assigned PortChannel 0/1 (with Gi0/1 as member), the traffic would be diverted to the sensor through MPF on ASA. I am right? Should this configuration work ? Is there any different approach?

I found an example (page 19-23):

http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/cli/cli_asa_ips.pdf

I found many similar articles wih the same information but I did not find the answerr

Best Regards,

Piotr

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to piotr.chrusciel

‎01-25-2013 07:11 AM

Ok, but I think that a 5525 could be to slow. Or is the 400 to 600 MBit/s already the combined bandwidth in/out?

For you setup:

The ASAs are configured for transparent mode where you just have a BVI for management. As it's still a firewall, you allow all traffic on both interfaces with "permit ip any any". Alternatively you could configure the ASA for State-bypass. But that should only be done if the trafic is already normalized by another firewall.

In the MPF you specify which traffic to pass to the IPS. That could be "match any".

For HA you can use portchannels with two links inside and two links outside. If you can connect only one link, there is no need to configure channels. If you plan for ASA failover, thats also possible, but keep in mind that the IPS is not included in failover-replication. Both IPS have to be configured individually. If the budget is really small, you can also implement spanning-tree HA with one unit. With that you connect your ASA the following way:

|-------–-|<-------------- ASA-IPS------------>|-----------

|switch 1 |                                    | Switch 2 |

|---------|<---------------------------------->|-----------

With Spanning-tree, you prefer the link through the ASA, if the ASA fails the unprotected link is still available.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎01-25-2013 06:24 AM

If you only want to have an inline IPS, then I would go for the 4345 or 4360:

http://www.cisco.com/en/US/products/ps12143/index.html

The are pure IPS appliances and much easier to manage if you don't want to have combined firewalling.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
piotr.chrusciel
Level 1
Level 1
In response to Karsten Iwen

‎01-25-2013 06:51 AM

Thanks Karsten for your response.

Actually yes. Unfortunatelly our client have limited budget. In GPL IPS-4345 costs $39995 and ASA5525-IPS $15995. 4300 series sensors do not support software/hardware bybass so the client still have to buy two separate boxes. Besides sensor does not need to support - "VLAN group mode" or "Inline VLAN pair mode". "Inline interface mode" would be enough, but really I have no clue how interfaces should be configured. Obviously, I believe the configruration above-mentioned should work but I am not sure.

Regards

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to piotr.chrusciel

‎01-25-2013 07:11 AM

Ok, but I think that a 5525 could be to slow. Or is the 400 to 600 MBit/s already the combined bandwidth in/out?

For you setup:

The ASAs are configured for transparent mode where you just have a BVI for management. As it's still a firewall, you allow all traffic on both interfaces with "permit ip any any". Alternatively you could configure the ASA for State-bypass. But that should only be done if the trafic is already normalized by another firewall.

In the MPF you specify which traffic to pass to the IPS. That could be "match any".

For HA you can use portchannels with two links inside and two links outside. If you can connect only one link, there is no need to configure channels. If you plan for ASA failover, thats also possible, but keep in mind that the IPS is not included in failover-replication. Both IPS have to be configured individually. If the budget is really small, you can also implement spanning-tree HA with one unit. With that you connect your ASA the following way:

|-------–-|<-------------- ASA-IPS------------>|-----------

|switch 1 |                                    | Switch 2 |

|---------|<---------------------------------->|-----------

With Spanning-tree, you prefer the link through the ASA, if the ASA fails the unprotected link is still available.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
piotr.chrusciel
Level 1
Level 1
In response to Karsten Iwen

‎01-25-2013 10:56 AM

Thank's Karsten. Your answer is exactly what I wanted to read. At the moment the client has two ISP links with summary bandwidth of 150Mb/s - in a single direction obviously. So even though he will decide to upgrade them to 300 Mb/s in the future (there is little chance) ASA5525 still fits. State bypass probably will be disabled - before IPS - on the Egde - there is a firewall.

Topology would look like as follows - each PortChannel consists of two gigabit phisical links:

|-------–---|                          |----------|

|Firewall 1 | --Po0/0--ASA-IPS--Po0/1--| Switch 1 |--- Network Edge

|-----------|                          |----------|

                                            | |

|-------–---|                          |----------|

|Firewall 2 | --Po0/0--ASA-IPS--Po0/1--| Switch 2 |--- Network Edge

|-----------|                          |----------|

Each firewall have to be able to comunicate with the second one on a particular VLAN. This configuration should work, should't it?

Regards Piotr

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to piotr.chrusciel

‎01-25-2013 02:02 PM

Yes, that should be fine.


Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card