ASA5510 and IPS module

Unanswered Question
Jun 22nd, 2008

We have an ASA 5510 with an IPS module.

Can the two be configured for access seperately?

For example someone having access to the ASDM can only view the firewall config but edit and manage the IPS module.

And the iopposite of view the IDS module and manage the firewall config.

The IPS module has its own IP Address.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
Farrukh Haroon Sun, 06/22/2008 - 18:20

Yes Wilson, just use separate passwords for each.

But just make sure both guys are good friends otherwise the IPS guy could block all traffic for the ASA guy and the ASA guy could shutdown/reset the IPS module using the CLI :)



wilson_1234_2 Tue, 06/24/2008 - 18:35

We have our ASAs using AAA pointing to a TACACS server.

How would it be done in this case?

mohammed_moustafa Wed, 06/25/2008 - 02:31

Hi Wilson,

you can add 2 user accounts to the AAA server, one is othorized to manage ASA and the other is othorized to manage IPS module. and you have to configure AAA authentication on the IPS module.


Farrukh Haroon Wed, 06/25/2008 - 05:59

You can have separate usernames for IPS and ASA. To further secure this, you can use Network Access Restrictions (but they sometimes do not work well with security devices as they don't send the complete information). Also the IPS does not support AAA, so there you will have to use local database anyway (thereby isolating things).




This Discussion