cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1718
Views
10
Helpful
28
Replies

How can IDSM monitor FWSM interface

new_networker
Level 1
Level 1

hi,

Three vlans have been assigned to the FWSM i.e. 2 (outside), 3 (DMZ) and 4 (inside).

Now, I would like to perform an inline interface mode monitoring on the traffic coming into FWSM inside interface.

As the FWSM inside interface is logical, how can I configure IDSM to monitor it.

Rgds

2 Accepted Solutions

Accepted Solutions

Yes the IDSM will BRIDGE the two vlans, there will be no ROUTING here as both VLANS will be in same subnet

You will assign the sub-inteface 1 you created to the vs0 (virtual sensor). For each new sub-inteface you add (to a physical interface) you need to go and that to the virtual sensor.

Just use the GUI, it will make it all very intuitive.

Regards

Farrukh

View solution in original post

If you have servers 'outside' the FWSM. Just let all the servers be in the same VLAN. And change the VLAN SVI on FWSM from 3 to 33. This way you need to make only one change on the FWSM configuration. Then bridge that in the IDSM. Make sure you allow the correct VLANs on the FWSM internal etherchannel trunk tough (on the Host 6500 Series Switch).

Regards

Farrukh

View solution in original post

28 Replies 28

Farrukh Haroon
VIP Alumni
VIP Alumni

Basically you will create a separate VLAN for the user/servers connected ports say 150. And you will create a corresponding logical interface on the FWSM say int vlan 750.

Then the IDSM will BRIDGE between these two vlans, both VLANS will be sharing the same subnet.

Please have a look at this post for more details:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&topicID=.ee6e1fc&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc1a97d

Please rate the post if you find it helpful.

Regards

Farrukh

So in my example, if I need to monitor the inside interface say VLAN2 on the FWSM which has servers connected to it via the ethernet module, what will be the inline interface mode configuration like.

1. Will I have to designate the data ports on the cat6500 such as

router(config)# intrusion-detection module 13 data-port 1 access-vlan 661

router(config)# intrusion-detection module 13 data-port 2 access-vlan 662

What does the above commands really do ?

2. Will I have to define vlan access-map with vlan filter

3. Can I configure to just inspect the traffic once and only on one interface (i.e. inside).

Please provide an example with VLAN2 as the inside interface of FWSM to switch servers are connected. Is inline interface mode prefered over inline VLAN mode

Thanks.

My discussion was assuming you were going to use the 'Inline VLAN Pair' mode and not the 'Inline Interface Pair'.

Here is an example of the latter:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml

To answer your questions:

1) Yes in 'Inline Interface Pair' you have to use two interfaces on the sensor/IDSM. This is not really recommended for the IDSM because you only have two interfaces (gig x/7 and gig x/8). These two interfaces have to be assigned access vlans (different than each other).

2) This is used for 'promiscuous mode' and not Inline mode.

3) Don't get your question, sorry.

Here is a brief difference between the two:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&topicID=.ee6e1fc&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc1ac8d/5#selected_message

Regards

Farrukh

Ok. I would like to go for inline VLAN pair mode.

Questions:

1) So my first configuration would be at the switch i.e.

router# show run | include intrusion-detection

intrusion-detection module 13 management-port access-vlan 147

intrusion-detection module 13 data-port 1 trunk allowed-vlan 661,662

Please specify what do data ports refer to. Secondly, in my example I need to monitor the inside interface of FWSM i.e. VLAN2; so what would be the trunk allowed-vlan in my case.

2) On the IDSM, after 'service interface', howcome 'physical-interfaces ?' show GiEth0/0 thru 0/3. Isn't it true that IDSM has 8 internal port from which 7 & 8 are sensing ports. Why don't I see 7 & 8 on the physical interfaces.

3) So now, to monitor the inside FWSM, shall single physical interface on IDSM be sufficient

4) In the subinterface configuration,

sensor(config-int-phy)# subinterface-type inline-vlan-pair

sensor(config-int-phy-inl)# subinterface 1

sensor(config-int-phy-inl-sub)# vlan1 52

sensor(config-int-phy-inl-sub)# vlan2 53

What is vlan1 & vlan2. And what is 52, 53. And what is connection/relation between these pairs and the switch trunk allowed-vlan 661,662.

Please explain to assist me in putting all of these things together. I am not able to decipher what are all these pairing for to monitor the inside FWSM (as in my example.)

Thanks.

First of all this is an Inline Vlan Pair example:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_example09186a0080876d9f.shtml

1) access-vlan for the management port is obvious from the command syntax. The other two vlans should actually be VLAN 2 and then NEW VLAN you will create to bridge this new vlan. Call its VLAN 72. One will exist on the ports facing the servers etc. (says VLAN 72) and VLAN 2 will be a virtual interface on the FWSM. Both VLANS will be part of the *same* subnet.

Data ports gig x/7 and gig x/8 are the TWO sensing interfaces on the IDSM.

2) The IDSM has no physical interfaces, so don't worry about this too much.

3) Yes a single interface will be sufficient, once again its NOT a physical interface :). With inline VLAN pair you can monitor multiple VLANs of the same IDSM port, just need to allow them on the switch like you did VLANs 661 and 662. Then add another sub-interface on the IDSM interface for the two new VLANs.

4) Now these should be the SAME as you allowed on the trunk e.g 2 and 72. The sub-interface number can be anything.

Once you form the sub-interface pair you need to assign it to the virtual sensor.

Regards

Farrukh

Ok. Going by the given example it says

Specify an interface:

sensor(config-int)#physical-interfaces GigabitEthernet0/2

Add the interface to the virtual-sensor:

sensor(config-ana-vir)#physical-interface GigabitEthernet0/2

subinterface-number 1

whereas you stated to ignore physical interface. How can I understand the above.

In my scenario, the incoming traffic from the Router gets directed to the inside of FWSM. Hence, the traffic would be passing the FWSM inside VLAN i.e. VLAN2. What is the second VLAN I need to mention as pair as there are no servers connected to it. The router's ethernet, connected to VLAN2 on the ethernet module and hence on the same subnet as the FWSM inside.

By ignore I meant in the show command of the document, I'm pasting the show interface brief from a live IDSM-2 for you increased understanding:

AVD# show interfaces brief

CC Interface Sensing State Link Inline Mode Pair Status

* GigabitEthernet0/2 Disabled Up

GigabitEthernet0/7 Enabled Up Inline-vlan-pair N/A

GigabitEthernet0/8 Enabled Up Inline-vlan-pair N/A

If you need to introduce IDSM between the Router and FWSM, you need to change the VLAN either on the ROUTER or on the FWSM and let IDSM bride the two vlans. You have to change one!

Regards

Farrukh

Lets says the inside on FWSM is 10.0.0.1/24 (VLAN2). Now I should create another VLAN e.g. VLAN72 encompassing the router ethernet port 10.0.0.2/24 (Same subnet). If so then how will the traffic be routed between these two VLANs. Is it via bridged VLAN on IDSM for e.g.

sensor(config-int-phy)#subinterface-type inline-vlan-pair

sensor(config-int-phy-inl)#subinterface 1

sensor(config-int-phy-inl-sub)#vlan1 2

sensor(config-int-phy-inl-sub)#vlan2 72

Secondly, do I have to assign single physical-interface GigabitEthernet from the range 0-3.

I think I am getting close.

Thanks.

Yes the IDSM will BRIDGE the two vlans, there will be no ROUTING here as both VLANS will be in same subnet

You will assign the sub-inteface 1 you created to the vs0 (virtual sensor). For each new sub-inteface you add (to a physical interface) you need to go and that to the virtual sensor.

Just use the GUI, it will make it all very intuitive.

Regards

Farrukh

Farrukh,

In this scenario, will the traffic be inspected one-way only on the inside interface, or even the outgoing traffic.

How is the other option enabled.

Rgds.

You mean Router >> FW Inside and FW Inside >> Router, both ways? YES both will be inspected.

Regards

Farrukh

Ok. So how can I restrict it to one way only i.e. Router -> FW Inside.

Thanks.

To me knowledge you cannot, and WHY would you?

REgards

Farrukh

hi,

Going back to this topic, the requirement has changed. The traffic from FWSM Outside to Inside needs to be inspected. I already have assigned an interface on FWSM inside and connected the servers to it. Now which vlans should I bridge for this purose. Lets says vlan 2 is inside and vlan 3 is outside.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: