Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
0
Helpful
1
Replies

AutoUpdate Signature on Cisco ASA IPS software

Steven Williams
Level 4
Level 4

‎11-18-2014 09:24 AM - edited ‎03-10-2019 06:17 AM

I am trying to configure the software based classic IPS module on the ASA to auto update the signature file. Something I do not understand is how to allow this. The IPS interfaces essentially have an IP address that is shared with the mgmt. subnet/vlan. Because the mgmt. interface is management only, it doesn't allow me to create an ACL to allow this traffic outbound to the internet? Suggestions?

Labels:
0 Helpful
1 Reply 1

game123
Level 1
Level 1

‎11-19-2014 03:53 AM

The IPS will only update online via its Management IP address , since regular sensor interfaces have no IP address setting option!

 

You need to default route your traffic from IPS to go to internet cloud and set permission on firewalls or routers to reach the IP address of IPS online databank signature website.

 

You do not need to have static NAT and , simple dynamic NAT is enough since the inside IPS management IP need not to be exposed or mapped directly and can use random source ports to connect to IPS Global databank over the internet using authenticated and authorized username/password combo which will be fed to the IPS device within the network.

 

hope this helps.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card