Hi Karsten

thanks for ur reply

can y provide me a sample viso diagram for this topology along with neseecary interfaces

thanks

jamil

There is no visio needed for that, the sensor is just physically inline:

ASA <---------------> Sensor <--------------> Core-Switch

inside-int        g0/0      g0/1          prev-int-to-ASA

On the Sensor, g0/0 and g0/1 build an inline-pair.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karstin

my freind, am new in the IPS World pls ur help

Pls can y draw for me a viso file with redaundant IPSs accoridng to ur last post and the input i gave

I do appreciate ur time

jamil

post a detailed diagram of your actual setup. Then let's see how to integrate the IPS. And which IPS-sensors did you buy?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten

attached diagram Pls help according my input

thanks

attached diagram Pls help according my input

That's exactly how you can integrate the sensor in your setup. So, what information do you need?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten

what about the High Avaliblity between IPSs?

how the config would be in these COREs related to IPSs and how the VLAN must be assigned?

pls a config

thanks

Jamil

what about the High Avaliblity between IPSs?

There is no HA *between* these IPS. IPS2 doesn't know the state of IPS1. You have two paths which gives you the HA. If the IPS behind the active ASA fails then that ASA fails over to the second path and your traffic continues. In such a setup you could disable the IPS-Normalizer so that ongoing sessions don't need to be reastablished.

how the config would be in these COREs related to IPSs and how the VLAN must be assigned?

No changes here. You can use the same settings for the IPS which you used to connect your ASA.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi karsten
I don't find any configuration for my scenario over the Internet to use it as a reference to my setup

do u have any documents related to my scenario?

thanks

jamil

The most relevant documents are the Install- and Configuration-Guide:

http://www.cisco.com/en/US/docs/security/ips/7.0/installation/guide/hwguide7.html

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idmguide7.html

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cliguide7.html

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/imeguide7.html

But keep in mind that IPS is one of the most complex security-controls that you can implement. You should ask your manager for a training on the system:

http://tools.cisco.com/GlobalLearningLocator/courseDetails.do?actionType=executeCourseDetail&courseID=5625

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi karsten
thanks a lot for ur time to reply to my post

i have IPS 4255 with version 6 , can u upgrade it to version 7 using the below code

IPS-K9-7.0-4-E4.pkg

thanks

jamil

Yes, but you should use v7.0-8 as the version 7.0-4 should not be used any more (support ended for the release).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

thanks for ur reply

i have seted up these IPS on the Internet edge as with interface Pair,now what signature should i enable on this senser?

thanks