04-29-2010 04:02 AM - edited 03-10-2019 04:58 AM
Hi,
I' ve a Cisco ASA5510 with AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
without the traffic passing through the Firewall.
I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit all the traffic to the Sensor but it doesn't work, no packet recived on sensor.
somebody can help me?
thanks
04-29-2010 07:57 AM
Hi,
When you have the AIP-SSM card on the ASA, you can configure it to operate in promiscuous (IDS) or in-line (IPS) mode.
To be able to use any more, traffic should flow through the ASA.
The difference is that when operating in IDS mode, only a copy of the packet is sent to the card.
When operating in IPS mode, the traffic is sent through the card, allowing the IPS module to be in the path of the traffic.
Please check the information:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html
Federico.
04-29-2010 09:16 AM
Unfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
- Bob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide