IPS 5585-X module integration with tranperant firewall module AS

amitmarathe · ‎12-29-2013

Hi Experts,

I am configuring new IPS 5585-x module along with ASA 5585-X module. In the IPS module only one logical interface is showing as per the standard architecture and all the physical interface are showing in the ASA module as 1/X interface(module number/ port). I have created one VS0 and VS1 sensor also created rule 1 and rule 2 for the same. on the firewall module, mode configured in transperant and context is created and allocate one physical interface to that of the context.

Configuration done on sys context as follows

admin-context admin
context admin
allocate-interface Management0/0
config-url disk0:/admin.cfg
!

context FWNSCNXT01
allocate-interface TenGigabitEthernet1/8
allocate-ips vs0 default
config-url disk0:/FWCNXT01.cfg
!

context FWNSCNXT02
allocate-interface TenGigabitEthernet1/9
allocate-ips VS1 default
config-url disk0:/FWNSCNXT02.cfg

configuration in context FWCNXT01:

mtu inside 9216

ip address 172.20.7.251 255.255.255.0

access-list IPS extended permit ip any any log errors

access-group IPS in interface inside

access-group IPS out interface inside

route inside 0.0.0.0 0.0.0.0 172.20.7.254 1

class-map ips_class

match any

policy-map ips_policy

class ips_class

ips promiscuous fail-open sensor vs0

service-policy global_policy global

service-policy ips_policy interface inside

Lastly configuration on IPS:

service analysis-engine

virtual-sensor VS1

signature-definition sig1

anomaly-detection

operational-mode learn

exit

virtual-sensor vs0

anomaly-detection

operational-mode detect

exit

physical-interface PortChannel0/0

exit

service web-server

enable-tls true

port 443

service signature-definition sig1

signatures 2000 0

engine atomic-ip

event-action produce-alert

exit

signatures 2152 0

sig-description

sig-name ICMP Flood

exit

alert-frequency

summary-mode summarize

summary-interval 1

specify-global-summary-threshold yes

global-summary-threshold 1

exit

victim-address-range 172.8.0.2 (proxy ip)

victim-port-range 3128

on the switch end port tengig 1/8 is connected on nexus and specific vlans are monotored on that interface. But as of now i am not able to see any traffic on that interface. I dont know what wrong i am doing as this is the firstime on this IPS module. there is no ports connected on the firewall. only port connected is tengig 1/8 which is on the ips module which is in promisucs mode.

Required expert advoice to reslove as not proper documetation i have seen for this scenerio.

Please help in this regards

Amit M

Julio Carvajal · ‎01-03-2014

Hello Amit,

Can you share :

show ips detail

show module 1 details

show service-policy

Now, can you explain a little about this:

on the switch end port tengig 1/8 is connected on nexus and specific vlans are monotored on that interface. But as of now i am not able to see any traffic on that interface. I dont know what wrong i am doing as this is the firstime on this IPS module. there is no ports connected on the firewall. only port connected is tengig 1/8 which is on the ips module which is in promisucs mode.

I mean the firewall is the one that will redirect the traffic to the IPS sensor so not sure I follow you!

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

IPS 5585-X module integration with tranperant firewall module ASA 5585-X 10