Hi Shaikh,

I have attached the diagram, basically what to be achieved is VLAN 1644 need to pass through IDSM before going out to INTERNET.

IDSM is installed in the Cluster switch before PCN cloud (INTERNET)

1. The VLAN 1644 (server vlan) behind FWSM context 1.

2. The cloud refers as transit vlan's are routing based on OSPF.

There are no internet proxy servers as of now.

I have tried the INLINE configuration is IDSM, and try to deny PING traffic, but it just seems not working. Looks like it bypasses the IDSM.

Any idea appreciated.

Thank you

Hi,

The IDSM is a Layer two bridge. It will install in vlan 1644 like....

vlan 1644 hosts ----->(dataport0/7) IDSM -----> (dataport0/8)vlan 1645 ------>FWSM---->other vlans

the host will be in access port of vlan 1644, while its gateway interface will be configured with the same subnet ip address on other new vlan 1645....

example:

vlan 1645

exit

int vlan 1645

ip add 10.17.168.1 255.255.255.0

exit

!

intrusion-detection module 1 data-port 1 access-vlan 1644
intrusion-detection module 1 data-port 2 access-vlan 1645

thanks,

Aman

Hi Aman,

Is that means the vlan 1645 L3 interface need to be created in the FWSM or the switch where IDSM resides?

How would the configuration be for FWSM in vlan 1644 if vlan 1645 L3 interface is created in switch where IDSM is residing?

Thanks in advance.

Hi,

yes this vlan 1645 interface will be create in FWSM.

config;

telnet/ssh to FWSM;

int vlan 1645

nameif zone-name

security-level xx

ip address (vlan 1644 gateway ip)

exit

Hi,

Can the vlan connecting to INTERNET be bridged instead of the user vlan, so whatever traffic destined to internet will be inspected by IDSM.

The vlan interface to INTERNET are running OSPF.