cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1878
Views
0
Helpful
8
Replies

Configure to Integrate Cisco ASA and IDSM

rdilliraj
Level 1
Level 1

Hi,

We have Cisco ASA and IDSM, need help on integrating the same; please write to me so that I will share the architecture details.

Thanks & Regards,

Raj

2 Accepted Solutions

Accepted Solutions

Hi Raj,

If I got your diagram correctly, you would like to send all the traffic from the Outside switch to one port of the IDSM through a SPAN and all of the traffic of your DMZ interfaces through another one.

Is this correct?

If so, can you tell me why you want to inspect the traffic before it goes through the firewall? As I told you in my original reply, we usually advise to put the IPS after the firewall.

Not to mention that in your case, I guess some traffic will be inspected twice so you'll have to assign a different virtual-sensors to each IDSM internal interfaces to make sure the same instance doesn't see the traffic multiple times.

Regards,

Nicolas

View solution in original post

Hi Raj,

You diagram is still showing SPAN sessions while if you configure your IDSM in inline mode, it will simple act as a L2 bridge between two vlans so your diagram is not relevant for an inline setup.

Regards,

Nicolas

View solution in original post

8 Replies 8

Nicolas Fournier
Cisco Employee
Cisco Employee

Hi Raj,

Could you be a bit more precise on what you would like to achieve?

The only advise that I would give you for now is to put the Firewall before the IPS on the path from the Internet to your Inside Network(s).

It is better that way since we won't need to use CPU intensive inspection on traffic that will be dropped anyway by the firewall afterwards.

Apart from that, there is not much more that I can say so I'll be waiting for more info on what you would like to achieve and we'll see what we could do.

Regards,

Nicolas

Hi Nicolas,

Thanks for the response;

We have ASA and IDSM2 on 6500;

Below config used to route the traffic to IDSM from ASA

In ASA

access-list ips extended permit ip any any

class-map Client_BIPS
match access-list ips
policy-map Client_ipspolicy
class Client_IPS
ips promiscuous fail-open

service-policy Client_ipspolicy interface outside
service-policy Client_ipspolicy interface DMZ-1
service-policy Client_ipspolicy interface DMZ-2

                     In IDSM:

service event-action-rules rules0
overrides deny-packet-inline
override-item-status Disabled
risk-rating-range 0-0
exit
overrides deny-connection-inline
override-item-status Disabled
risk-rating-range 0-0
exit
general
global-overrides-status Disabled
exit

Please let me know whether this is ok.

Thanks & Regards,

Raj

Hi Raj,

Unfortunately, it is not.

We can't send automatically the traffic from the ASA to the IDSM.

The commands you have on your ASA would send the traffic to the IPS module (AIP-SSM) sitting inside the firewall itself if there was any.

There is no integration between the ASA and the IDSM for traffic redirection so you'll need to configure the two devices separately.

Regards,

Nicolas

Please refer attached proposed architecture;

Assuming we are configuring it in promiscous mode, attached architecture is fine.

Regards,

Raj

Hi Raj,

If I got your diagram correctly, you would like to send all the traffic from the Outside switch to one port of the IDSM through a SPAN and all of the traffic of your DMZ interfaces through another one.

Is this correct?

If so, can you tell me why you want to inspect the traffic before it goes through the firewall? As I told you in my original reply, we usually advise to put the IPS after the firewall.

Not to mention that in your case, I guess some traffic will be inspected twice so you'll have to assign a different virtual-sensors to each IDSM internal interfaces to make sure the same instance doesn't see the traffic multiple times.

Regards,

Nicolas

Yeah you are right, thanks.

Please refer attached architecture, if I have configure in inline mode will it work.

Regards,

Raj

Hi Raj,

You diagram is still showing SPAN sessions while if you configure your IDSM in inline mode, it will simple act as a L2 bridge between two vlans so your diagram is not relevant for an inline setup.

Regards,

Nicolas

Thanks Nicolas

Review Cisco Networking for a $25 gift card