cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1166
Views
29
Helpful
15
Replies

Cisco IPS | Physical Network Integration

Ibrahim Jamil
Level 6
Level 6

Cisco IPS | Physical Network Integration

Recently we bought 2 IPS while we have the below topology,we need to protect our self from the ravage of the internet

Active-ISP-ROUTER-1----------ACTIVE-ASA5520------------CORE-1

Standby-ISP-ROUTER-2 ----------Standby-ASA5520-----------CORE-2

how to intergreate these 2 IPSs on my network according the above  topology. how to Physically cable these IPS with the current topology ,pls note i need it inline mode

Thanks

jamil

15 Replies 15

The easiest way to integrate an IPS-Appliance is to cable it between the ASA and the switch and build an Inline-Interface-pair in the IPS.

Another possibility is to use an inline-vlan-pair. But there you have to reconfigure the VLANs between Core and ASA.

But why didn't you by the AIP-SSM for the ASAs?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten

thanks for ur reply

can y provide me a sample viso diagram for this topology along with neseecary interfaces

thanks

jamil

There is no visio needed for that, the sensor is just physically inline:

ASA <---------------> Sensor <--------------> Core-Switch

inside-int        g0/0      g0/1          prev-int-to-ASA

On the Sensor, g0/0 and g0/1 build an inline-pair.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karstin

my freind, am new in the IPS World pls ur help

Pls can y draw for me a viso file with redaundant IPSs accoridng to ur last post and the input i gave

I do appreciate ur time

jamil

post a detailed diagram of your actual setup. Then let's see how to integrate the IPS. And which IPS-sensors did you buy?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten

attached diagram Pls help according my input

thanks

attached diagram Pls help according my input

That's exactly how you can integrate the sensor in your setup. So, what information do you need?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten

what about the High Avaliblity between IPSs?

how the config would be in these COREs related to IPSs and how the VLAN must be assigned?

pls a config

thanks

Jamil

what about the High Avaliblity between IPSs?

There is no HA *between* these IPS. IPS2 doesn't know the state of IPS1. You have two paths which gives you the HA. If the IPS behind the active ASA fails then that ASA fails over to the second path and your traffic continues. In such a setup you could disable the IPS-Normalizer so that ongoing sessions don't need to be reastablished.

how the config would be in these COREs related to IPSs and how the VLAN must be assigned?

No changes here. You can use the same settings for the IPS which you used to connect your ASA.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi karsten
I don't find any configuration for my scenario over the Internet to use it as a reference to my setup

do u have any documents related to my scenario?

thanks

jamil

Hi karsten
thanks a lot for ur time to reply to my post

i have IPS 4255 with version 6 , can u upgrade it to version 7 using the below code

IPS-K9-7.0-4-E4.pkg

thanks

jamil

Yes, but you should use v7.0-8 as the version 7.0-4 should not be used any more (support ended for the release).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

thanks for ur reply

i have seted up these IPS on the Internet edge as with interface Pair,now what signature should i enable on this senser?

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: