I've got a bit of an interesting dilemma that I'm hoping that someone could help with. I have two distinct networks: A "regular" network, along with a "secure" network. I've not been involved in the setup/configuration, but I've been handed some work to do now that has me puzzled.
The two networks are separated with a pair of ASA devices with IPS modules installed. User access to the secure side works by using Cisco VPN client, terminating on the ASA's, and once connected applications are delivered via Citrix. Management of the ASA's involves connecting via management VPN to the "external" ASA interface, connecting to a management server via Citrix and from there, management via MARS, ASDM & IME.
My issue is that I have been asked to configure auto-updates for the IPS modules. However, there is no internet access from the secure network. Servers on the secure side can request files, etc, from the regular side but there is no direct access can be initiated from the regular side back to the secure network. There are no ASA devices that are contactable/manageable from the regular side.
I've read that it's possible to somehow download updates from cisco.com via FTP or similar, but I fail to see how I can automate the process. What I originally thought to do was to install another copy of IME on the regular network, set up a dummy device and there on configure auto-updates, but unfortunately the IPS needs to be contactable for that to work.
Can anybody think of a solution that could make this work for me?
You can configure a local server (FTP or HTTP server) to download the signature update from cisco.com, and the IPS sensor then auto update from your local server.
Here is more information on that for your reference:
Thanks for that, but the instructions in that document appear to be related to updating a sensor from an FTP server where the updates have already been copied to it.
I have searched and searched, but I'm unable to locate the relevant location to download the signatures direct via FTP/SCP. I have attempted to locate them on ftp.cisco.com, but with no luck.
Yes, that is correct. You would still need to download the signature to your local server, you can configure your local server to check the cisco.com site with script. There is no way to FTP directly from cisco.com for the signature update.