Accepted Solutions
Hello Heat Mote,
Regarding your questions:
- How do I verify my setup is functioning as inteded where all traffic between all VLANs is being inspected?
Since you are using an IPS module, the traffic matched by the class configued on the ASA is the one being inspected, you can set up a capture on the dataplane Interface (Interface used to send traffic from the ASA to IPS) using this command:
capture ips int asa_dataplane buffer 15000000
Verify the capture by using:
show capture ips
The output should display packets from every VLAN.
- Why is my non-management interface showing "unpaired"?
The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do not support inline VLAN pairs.
You can associate VLANs in pairs on a physical interface. This is known as inline VLAN pair mode. Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair. Since the module only has one sensing interface, that is why it is shown as Unpaired.
The documentation is talking about "security contexts". You can partition a single ASA into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management.
Please rate the answer if you find it useful.
Hello Heat Mote,
Regarding your questions:
- How do I verify my setup is functioning as inteded where all traffic between all VLANs is being inspected?
Since you are using an IPS module, the traffic matched by the class configued on the ASA is the one being inspected, you can set up a capture on the dataplane Interface (Interface used to send traffic from the ASA to IPS) using this command:
capture ips int asa_dataplane buffer 15000000
Verify the capture by using:
show capture ips
The output should display packets from every VLAN.
- Why is my non-management interface showing "unpaired"?
The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do not support inline VLAN pairs.
You can associate VLANs in pairs on a physical interface. This is known as inline VLAN pair mode. Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair. Since the module only has one sensing interface, that is why it is shown as Unpaired.
The documentation is talking about "security contexts". You can partition a single ASA into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management.
Please rate the answer if you find it useful.
