06-11-2008 09:34 AM - edited 03-10-2019 04:09 AM
Hello,
I have an IPS-4260 in promiscous mode, "IDS mode". I have to configure it to use an FWSM as a blocking device but I am not really sure about how to do it because I'm using multiple-context mode in the FWSM. I only want to shun traffic in one context (this is not the admin context).
When I configure the blocking devices in the IPS, should I configure the context as if it is an standalone firewall? Meaning that the IP address configured there would be an IP address to login directly into that context? Therefore, the IPS should have IP conectivity to that context in order to login to it, rigth?
Thanks in advanced for your help.
06-11-2008 01:22 PM
Yes the IPS will login to the FWSM just like a normal user. If you are using telnet,
telnet sensor-ip /32 interface
IF you are using ssh:
ssh sensor-ip /32 interface
Also in SSH there is an additional step, make sure the ASA is in the IPS's SSH Trusted Hosts/Keys.
Regards
Farrukh
06-11-2008 01:51 PM
You are correct.
From the sensor standpoint you will treat each FWSM context as a unique firewall with it's own IP address unique to that context.
Understand that the IPS will send the same shun commands to every firewall (or every context) that is being managed.
So in your case the sensor will send all shuns to your firewall context even though some of the traffic being monitored may have come from other firewall contexts. You can not designate which addresses to shun on which firewall/context.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: