Unanswered Question
Nov 3rd, 2008

Hi all,

I am looking at implementing an ASA system for multiple branches (17) in a client site.

I know that the ASA 5510 can have the AIP-SSM module installed, where the 5505 cannot. I want to be able to offer firewall, an IPSEC VPN back to the hub site and IPS in a promiscious mode. I believe the ASA 5510 w/ AIP-SSM can do this.

I would ideally place the ASA at the ingress point to the brach office to monitor traffic coming into the branch office and use RSPAN to forward all traffic from a sensitive VLAN mirrored to a capture port on the ASA. I'm assuming this can be done, but I would like to make sure.

So, in a nutshell, can the ASA act as a border firewall AND be used to perform IPS functionality on an RSPAN port, where the 4 switches (4 different closets) forward all traffic via the RSPAN port into the ASA AIP-SSM card?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (2 ratings)
darrenj Mon, 11/03/2008 - 11:33

Why not!? I have used an ASA as an fw, VPN termination and IPS device no problem....


darrenj Mon, 11/03/2008 - 11:35

Hang on, have re-read the post. I think I know where you are coming from, there is no promiscous port to SPAN to. You can however use IPS on traffic passing through the firewall....

MIWConsulting Mon, 11/03/2008 - 11:39

So would there be any way to monitor the traffic going on inside the branch office? Would getting a seperate IPS the only way?

MIWConsulting Mon, 11/03/2008 - 15:29

Hi rhermes,

Could you possibly expand on your answer? Is it because I am trying to do passive monitoring? Could I do in-line monitoring in this scenario instead?



This Discussion