10-25-2010 02:42 AM - edited 03-10-2019 05:09 AM
Hi,
We have Cisco ASA and IDSM, need help on integrating the same; please write to me so that I will share the architecture details.
Thanks & Regards,
Raj
Solved! Go to Solution.
10-29-2010 03:58 AM
Hi Raj,
If I got your diagram correctly, you would like to send all the traffic from the Outside switch to one port of the IDSM through a SPAN and all of the traffic of your DMZ interfaces through another one.
Is this correct?
If so, can you tell me why you want to inspect the traffic before it goes through the firewall? As I told you in my original reply, we usually advise to put the IPS after the firewall.
Not to mention that in your case, I guess some traffic will be inspected twice so you'll have to assign a different virtual-sensors to each IDSM internal interfaces to make sure the same instance doesn't see the traffic multiple times.
Regards,
Nicolas
10-29-2010 05:47 AM
Hi Raj,
You diagram is still showing SPAN sessions while if you configure your IDSM in inline mode, it will simple act as a L2 bridge between two vlans so your diagram is not relevant for an inline setup.
Regards,
Nicolas
10-28-2010 09:29 AM
Hi Raj,
Could you be a bit more precise on what you would like to achieve?
The only advise that I would give you for now is to put the Firewall before the IPS on the path from the Internet to your Inside Network(s).
It is better that way since we won't need to use CPU intensive inspection on traffic that will be dropped anyway by the firewall afterwards.
Apart from that, there is not much more that I can say so I'll be waiting for more info on what you would like to achieve and we'll see what we could do.
Regards,
Nicolas
10-29-2010 01:34 AM
Hi Nicolas,
Thanks for the response;
We have ASA and IDSM2 on 6500;
Below config used to route the traffic to IDSM from ASA
In ASA
access-list ips extended permit ip any any
class-map Client_BIPS
match access-list ips
policy-map Client_ipspolicy
class Client_IPS
ips promiscuous fail-open
service-policy Client_ipspolicy interface outside
service-policy Client_ipspolicy interface DMZ-1
service-policy Client_ipspolicy interface DMZ-2
In IDSM:
service event-action-rules rules0
overrides deny-packet-inline
override-item-status Disabled
risk-rating-range 0-0
exit
overrides deny-connection-inline
override-item-status Disabled
risk-rating-range 0-0
exit
general
global-overrides-status Disabled
exit
Please let me know whether this is ok.
Thanks & Regards,
Raj
10-29-2010 02:55 AM
Hi Raj,
Unfortunately, it is not.
We can't send automatically the traffic from the ASA to the IDSM.
The commands you have on your ASA would send the traffic to the IPS module (AIP-SSM) sitting inside the firewall itself if there was any.
There is no integration between the ASA and the IDSM for traffic redirection so you'll need to configure the two devices separately.
Regards,
Nicolas
10-29-2010 03:46 AM
10-29-2010 03:58 AM
Hi Raj,
If I got your diagram correctly, you would like to send all the traffic from the Outside switch to one port of the IDSM through a SPAN and all of the traffic of your DMZ interfaces through another one.
Is this correct?
If so, can you tell me why you want to inspect the traffic before it goes through the firewall? As I told you in my original reply, we usually advise to put the IPS after the firewall.
Not to mention that in your case, I guess some traffic will be inspected twice so you'll have to assign a different virtual-sensors to each IDSM internal interfaces to make sure the same instance doesn't see the traffic multiple times.
Regards,
Nicolas
10-29-2010 04:56 AM
10-29-2010 05:47 AM
Hi Raj,
You diagram is still showing SPAN sessions while if you configure your IDSM in inline mode, it will simple act as a L2 bridge between two vlans so your diagram is not relevant for an inline setup.
Regards,
Nicolas
10-29-2010 05:50 AM
Thanks Nicolas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide