cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1316
Views
0
Helpful
2
Replies

transparent mode with AIP-SSM-20

smperry
Level 1
Level 1

I currently have an ASA5510 in routed mode with an AIP-SSM-20.

There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.

However, this will remove the IPS device, and I still want to use IPS.

So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.

Setup would look something like this:

Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN

Can the AIP-SSM still perform IPS with the ASA in transparent mode?

Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?

I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.

Regards.

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

AFAIR, There is no problem to setup AIP in a transparent firewall.

"An ASA in transparent mode can run an AIP.  In the event the AIP fails,

the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop.  You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."

And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744

What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

HTH,

Marcin

View solution in original post

2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

AFAIR, There is no problem to setup AIP in a transparent firewall.

"An ASA in transparent mode can run an AIP.  In the event the AIP fails,

the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop.  You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."

And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744

What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

HTH,

Marcin

Thank you for the info.

Review Cisco Networking for a $25 gift card