03-09-2007 05:47 AM - edited 03-11-2019 02:44 AM
We have an ASA 5510 with AIP-SSM10 and will be migrating 515E ruleset in the future. For right now I want to use the ASA behind the PIX as a bridge in order to use the IPS functionality. Would tranparent mode with access lists that allow all traffic both directions work in this situation? I don't want to drop any packets, just mirror traffic to IPS for inspection and alerting.
Thanks
03-09-2007 05:59 AM
hi ,
this seems to be a good solution.
this link gives you extensive information ,how transparent mode works.
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/fwmode.htm
it's basicaly "bump in the wire" or " stealth firewall " ..
hope this helps!!
Sushil
Cisco TAC
03-09-2007 12:53 PM
Thanks for the reply Sushil, I read that document but still have a few questions that maybe you could help me with?
Could I assign a security-level of 100 to both interfaces and check the box to "allow communications between interfaces with the same security level" or just use the permit any,any access lists?
I followed instructions exactly to forward all traffic to AIP-SSM for inspection but recieve an error. Here is my config.
I would appreciate any input.
Thank you very much
ACCESS LISTS
ASA5510# sh access-list
access-list Inside_access_in extended permit ip any any
access-list Inside_access_out extended permit ip any any
access-list Outside_access_out extended permit ip any any
access-list Outside_access_in extended permit ip any any
access-list IPS extended permit ip any any
AIP SSM CONFIG
ASA5510(config)# access-list IPS permit ip any any
ASA5510(config)# class-map lwc-ips-class
ASA5510(config-cmap)# match access-list IPS
ASA5510(config-cmap)# policy-map lwc-ips-policy
ASA5510(config-pmap)# class lwc-ips-class
ASA5510(config-pmap-c)# ips promiscuous fail-open
ASA5510(config-pmap-c)# service-policy lwc-ips-policy global
ERROR: Policy map global_policy is already configured as a service policy
03-09-2007 01:17 PM
Could I assign a security-level of 100 to both interfaces and check the box to "allow communications between interfaces with the same security level" or just use the permit any,any access lists?
----yes.you can do this.
AIP SSM CONFIG
ASA5510(config)# access-list IPS permit ip any any
ASA5510(config)# class-map lwc-ips-class
ASA5510(config-cmap)# match access-list IPS
ASA5510(config-cmap)# policy-map lwc-ips-policy
ASA5510(config-pmap)# class lwc-ips-class
ASA5510(config-pmap-c)# ips promiscuous fail-open
ASA5510(config-pmap-c)# service-policy lwc-ips-policy global
ERROR: Policy map global_policy is already configured as a service policy
___ans:
ASA-5520-CSC-Standalone(config)# access-list IPS extended permit ip any any
ASA-5520-CSC-Standalone(config)#
ASA-5520-CSC-Standalone(config)# class-map lwc-ips-class
ASA-5520-CSC-Standalone(config-cmap)# match access-list IPS
ASA-5520-CSC-Standalone(config-cmap)# exit
ASA-5520-CSC-Standalone(config)# policy-map global_policy
ASA-5520-CSC-Standalone(config-pmap)# class lwc-ips-class
ASA-5520-CSC-Standalone(config-pmap-c)# ips promiscuous fail-open
ASA-5520-CSC-Standalone(config-pmap-c)# exit
ASA-5520-CSC-Standalone(config-pmap)# exit
ASA-5520-CSC-Standalone(config)# service-policy global_policy global
HTH..
Regards,
Sushil
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide