Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1079
Views
10
Helpful
2
Replies

Solution on IPS Placement

arumugasamy
Level 1
Level 1

‎11-20-2006 10:01 AM - edited ‎03-10-2019 03:19 AM

Dear Pros,

Project explanation:

Pair of pix firewall configured as failover.The outside of the pix pair connected to the internet gateway router 3825.Inside of the pix pair connected to the core switch ports configured with the vlan.The configuration as below

Outside : 192.168.102.0

Active pix out: 192.168.102.2

Sec.Pix out : 192.168.102.3

3825 Gieth : 192.168.102.1

Inside PIX : 192.168.101.0

Active pix in : 192.168.101.2

Sec.PIX IN : 192.168.101.3

Core SVI in : 192.168.101.1 (Gway for the vlan)

Now i decided to connect the ips 4240 in inline ips mode by connecting ips's outside to the pix inside segment and ips

inside to the core switch 4510R vlan interface that has been priviously connected to the pix inside segment.

I have 5 vlans inside the core 4510R created with 172.16.16.0/24,172.16.17.0/24,172.16.18.0/24....

I already configured the ips 4240 with 2 infs pairs and assigned to the sensin engines.I need to know

the other steps to configure to allow the traffic inline thro the ips.Also i want to know the blocking concept and here

do we need to configure the blocking for the 5 inside networks?

Please give me the solution details.

Thanks

swamy

Labels:
0 Helpful
2 Replies 2

a.kiprawih
Level 7
Level 7

‎11-21-2006 10:40 PM

Based on your scenario, pls have a look at the logical and physical connectivity of your devices.

This is due to the devices limitations, especially the switch where you only have 1 x Cat4510R available. Therefore, you need to host all connection to this switch to cater for IPS - Firewall connectivity.

This design is to allow you to filter traffic from Internet coming into your Internal network and vice-versa.

Basically, you need to have 2 x Layer 2 Vlans on your Cat4510R switch, for (example):

- Vlan 102 - host router interface, IPS and PIX Outside interfaces

- VLan 11 - host PIX inside interfaces and IPS

Maintain the existing Vlan with interface IP of 192.168.102.1, which was shared with PIX Inside interfaces IPs as well.

I have implemented similar setup, and it works fine.

As for your blocking concept, you need to use ACL to permit/deny who/ports, and apply it relevant Vlan interfaces.

Hope this works. Pls rate all useful post(s).

AK

a.kiprawih
Level 7
Level 7
In response to a.kiprawih

‎11-21-2006 10:50 PM

Attachment for:

1. Logical connectivity

2. Physical connectivity

Preview file
35 KB
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card