05-10-2010 02:22 AM - edited 03-10-2019 04:59 AM
Hi
Guys
I have IPS 4215 with 6.0 image, 4 sensing Interfaces anlong with the C&C,i m confused a litlte bit about the sensing interfaces across the network what am thinking is as follow:
IPS will be functions as inline mode
1) Two sensing interfaces bridged togather on the inside
2) Two sensing interfaces bridged togather on the outside, coz i have web server on the DMZ Need to be accessed from outside
but the inline rule said:traffic from interface to onother interface need to be checked , so how is that with traffic leaving my network to the internet so it nee to be checked either wich useless in this case coz i just need inspection to traffic comes from outside toward my web server and inspection the inside interfaces?
any help here in order to determine the ideal deployment for the sensors
Thanks a lot
05-10-2010 02:35 AM
You can configure VLAN Pair for each of the network segments that you would like to get the IPS inspected.
Example:
1st sensing interface, configure it as a dot1q trunk port:
- Eg: if your inside interface is in vlan 50, you can map it (bridge it) through the IPS to another vlan (eg: vlan 150).
- So on IPS --> vlan 50 pairs with vlan 150
- All inside hosts are assigned to vlan 50, and its default gateway is assigned to vlan 150, hence the traffic will pass through the IPS in bridge/transparent mode.
Then you can configure the same for DMZ and outside subnet.
Hope that helps.
05-10-2010 05:43 AM
Could you please prepare a drawing for yr suggestions in order to use as a sample?
Thanks
05-11-2010 03:11 AM
05-11-2010 04:50 AM
Thanks Freind
1)so I need 3 sensing interface acting as trunk for 1 for inside and 1 for outside and 1 for dmz
2)Why i have 2 different vlan and the same IP Subnet?what is the reason for that?how the inspection work?
Thanks
05-23-2010 07:27 AM
mate,so if i have route from the asa toward the internet router so now route is in place so i need interface pair not vlan pair coz i have route,is that true?
05-23-2010 06:01 PM
Interface pair means you have to use a pair of the IPS interfaces, ie: one connects to the ASA and the other connects to the router, basically to ensure that traffic that needs to be inspected is passing through the IPS.
You are not limited to use interface pair, you can also use VLAN pair in your ASA to Internet router scenario. Basically the ASA vlan and the router vlan needs to be different with ASA and router in the same subnet, to force traffic through the IPS.
Example:
ASA outside IP is 200.1.1.1 -- vlan 10
Router interface IP is 200.1.1.2 -- vlan 110
IPS - pairing vlan 10 to vlan 110
05-23-2010 05:18 PM
1) Correct, but again, it depends on how you physically and logically connect the IPS in your network.
2) For vlan pair scenario, you would need to have 2 vlans bridging the traffic just like transparent firewall for example, so the traffic is forced to go through the IPS. If you only have 1 VLAN, traffic will directly go to its default gateway, hence will not pass through the IPS appliance.
Hope that answers your questions.
05-24-2010 07:29 AM
Hello freind
why 2 different vlan while one single subnet,how the logic goes?
Do u have different IPS deployment including connectivitys
Thanks
05-25-2010 06:14 AM
Can't really find a sample config on IPS, however, here is sample config on the concept on transparent firewall which is exactly what IPS is:
Interface pair (on ASA firewall): http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
VLAN pair (FWSM): http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/exampl_f.html#wp1029042
For VLAN pair example, just check the diagram, and basically 1 subnet, and vlan pairing basically to force the traffic to go through the firewall/IPS. Since all hosts are on all 1 layer 3 subnet, it will ARP for the ip address, and if the default gateway is on the other side of the IPS/firewall, the traffic is forced to traverse through the appliance to get to its default gateway. Hence forcing the traffic to be inspected by the IPS. Otherwise, there is no other way to force traffic to pass through the IPS as IPS is layer 2 device (sensing interface is L2), not a routed device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide