Solved: Existing ASA5512-X upgrade to IPS

dneumann · ‎11-19-2014

Hello all,

I have an ASA5512-X that I purchased a year ago and this month I purchased the IPS license.

I have two questions:

1. Do I need to re-image the entire ASA (after performing a backup) or can I just TFTP the IPS software to the box and proceed to install and configure it?

2. Does the IPS actually require an SSD? I've seen conflicting reports on this.

thanks in advance for any help,

-Don

Karsten Iwen · ‎11-20-2014

When the quick-start guide talks about the IPS-module, they mean the legacy IPS-module, which only provided IPS. You bought a license that is part of a NGFW-module. The CX in the beginning didn't have any IPS capabilities, that was added later as a new component. So in fact you now have a NGFW-module that can provide Web-security (WSE), Application Visibility and control (AVC) and also IPS. But you only licensed the IPS part of the NGFW.

What you have to do is:

deinstall IPS if installed.
Install CX on the SSD. CX only runs on the SSD, it can't work without.
in CX apply the IPS license to the system.

Here is more info on the different licenses in CX:

http://www.cisco.com/c/en/us/td/docs/security/asacx/9-3/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_3/prsm-ug-licenses.html

View solution in original post

Karsten Iwen · ‎11-20-2014

1) no, just install the IPS software onto the SSD. But you need to have a minimum ASA-version depending on the IPS software you are using.

2) yes, the SSD is needed to install the sw-module. There is a build-in IPS in the ASA that doesn't need the SSD, but that is completely outdated and limited.

Depending on which IPS you bought, here are the Quick-Start-Guides:

FirePOWER IPS
(legacy IPS already EOS/EOL announced), If you have that, I think that this software can run from the build-in flash without an SSD.

dneumann · ‎11-20-2014

Thank you for replying Karsten. One follow-up question:

On 10/8/2014 I purchased the following IPS part# L-ASA5512-IP1Y=

Can you tell from that part# which type of IPS that I have?

Marvin Rhoads · ‎11-20-2014

The part number you have is actually the IPS on the CX module - a step in between the legacy IPS and the new (and highly recommended) FirePOWER-based IPS.

dneumann · ‎11-20-2014

Thank you for replying Marvin. The situation is starting to become more clear to me but still confusing, given the state of flux of this product.

I have a few follow up questions:

1. Does this type of IPS make a difference to the installation process or can I just TFTP the IPS software to the ASA and install/configure it? Or, do I need to backup and completely reload the ASA operating system?

2. Can you point me to the correct documentation for this type of IPS?

3. Is there a minimum revision of the ASA operating system that is required to run this IPS?

Thanks for everyones help to date.

-Don

Marvin Rhoads · ‎11-20-2014

It depends. :)

If your ASA was purchased with the SSD you should already have the CX module installed and can setup on-box (single device) PRSM (Prime Security Manager). PRSM is the GUI for configuring the services on the CX module and is included at no charge on-box or is available as a separately licensed product to run off-box and manage multiple devices.

Documentation, including a Quick Start Guide, is available on the product support page.

As noted in the release notes on the product support page, the ASA requires 9.1(5) or later.

Please take a moment to rate helpful responses.

dneumann · ‎11-20-2014

Marvin, thank you for those links, especially the CX quick start guide. It explained a lot.

However, after reading those documents something became unclear. On pg. 9 of the quick start guide, step 5 references un-installing the IPS module if you want to install the CX module. This seems to suggest that the IPS does not run under the CX but rather they are two separate modules, only one of which can run at any one time (i.e. mutually exclusive). I recall attending a Cisco webinar where Cisco stated that this was the case.

Can you speak to this and perhaps clarify your previous reply?

Karsten Iwen · ‎11-20-2014

When the quick-start guide talks about the IPS-module, they mean the legacy IPS-module, which only provided IPS. You bought a license that is part of a NGFW-module. The CX in the beginning didn't have any IPS capabilities, that was added later as a new component. So in fact you now have a NGFW-module that can provide Web-security (WSE), Application Visibility and control (AVC) and also IPS. But you only licensed the IPS part of the NGFW.

What you have to do is:

deinstall IPS if installed.
Install CX on the SSD. CX only runs on the SSD, it can't work without.
in CX apply the IPS license to the system.

Here is more info on the different licenses in CX:

http://www.cisco.com/c/en/us/td/docs/security/asacx/9-3/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_3/prsm-ug-licenses.html

Marvin Rhoads · ‎11-21-2014

Exactly so.

Vielen danke Karsten!

dneumann · ‎11-21-2014

Karsten, thank you for the clarification. This really helps.

Marvin, thank you also for your answers.

I think I have a good handle on what needs to be done.

-Don

Karsten Iwen · ‎11-21-2014

And when your license expires in one year, think about migrating to FirePOWER, the "new" IPS from Cisco.