asa5510 - csc or aip

changari · ‎02-17-2008

With a 5510, I see that it takes either a CSC or a AIP module. Can the 5510 be configured to do both contect filtering and intrusion detection? If so, which 5510 model (ie asa5510-aip10-k9 for example) should I get to do csc and id for around 150 users? In other words if i buy the AIP module, will it do CSC functions? I can't seem to find any information on exact question. thanks

abinjola · ‎02-17-2008

ASA 5510 cannot do URL Filtering+IPS prevention, so you may add CSC module to it for those functionalities

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6823/product_data_sheet0900aecd80402e4f_ps6120_Products_Data_Sheet.html

Standard license if for 50 users but you may always upgrade to 100/250/500 user license

Alexander Cousins · ‎06-20-2010

Hi Both

Is there any rational behind why the ASA5500 units doesnt support both modules (other than hardware)? Also as mentioned it is possible to configure both at once? The previous post said that the use of the CSC may be required but does this support all the IPS/IDS functions that the AIP does?

If not is it possible to configure a pair of ASA's in active active mode with an AIP in one and a CSC in the other?

Thanks

Alex

Panos Kampanakis · ‎06-21-2010

Interesting question Alex.

The limitation as you said is hardware. The ASA can only take one module in it.

The CSC can do virus pattern checks for http, email and ftp. So that part you can said it is IPS. You cannot use other signatures though so you can't say the CSC can do full IPS checks. Of course the moduel can also do spam and url filotering that the IPS can't.

Now, as for the active/active ASA with CSC/CSC idea...Hmm...That could be a good hack as long as the SSM cards were the same (SSM-10 or SSM-20).

Indeed failover will establish as the ASAs will think they have the same hardware (modules are not distinguishable for the ASA failover). So you could have one active ASA do CSC and the other doing IPS.

You should not forget though that you are losing the redundancy practically. The reason being that in case one ASA dies the other one will take care of all the traffic using the module that it has. So in case of a failure you will ONLY have CSC or IPS, not both.

I hope it helps.

PK

game123 · ‎06-21-2010

Well well well, here are some basic and important info..

CSC Module is a hardware module and IPS SSM is also a hardware module, and at one time you can put only 1 module in 1 ASA 5520 or other firewall.

CSC Module is actually a trendmicro software and comes with two licenses ( basic features licenses + advance licenses ). i worked with it , it is good .

IPS Module on ASA will only inspect traffic passing thru ASA and not the core switch or internal network or internal subnets ....

IPS and CSC both have a fallback mode when license expires and can be configured with fail open or fail close options.

Both CSC and IPS module have cable port and you need to connect them to the switch to configure them neatly and professionally.

For both IPS and CSC you can get 60 days demo license also if you are a legitimate customer and your cisco partner or cisco services team can assist you in this.

I dont think while having ASA in redundancy mode, look for redundancy in CSC or IPS , since they are actually sitting behind the ASA boxes (only physcially fit in the same box but logically they are separate modules with separate firmware and configuartion logic )

Hope I have provided some info to let people deal with things neatly !

kamran. (game123)