cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1354
Views
15
Helpful
9
Replies

Sensing interfaces on IPS!

alsayed
Level 1
Level 1

Hi

Guys

I have IPS 4215 with 6.0 image, 4 sensing Interfaces anlong with the C&C,i m confused a litlte bit about the sensing interfaces across the network what am thinking is as follow:

IPS will be functions as inline mode

1) Two sensing interfaces bridged togather on the inside

2) Two sensing interfaces  bridged togather on the outside, coz i have  web server on the DMZ Need to be accessed from outside

but the inline rule said:traffic from interface to onother interface need to be checked , so how is that with traffic leaving my network to the internet so it nee to be checked either wich useless in this case coz i just need inspection to traffic comes from outside toward my web server and inspection the inside interfaces?

any help here in order to determine the ideal deployment for the sensors

Thanks a lot

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

You can configure VLAN Pair for each of the network segments that you would like to get the IPS inspected.

Example:

1st sensing interface, configure it as a dot1q trunk port:

- Eg: if your inside interface is in vlan 50, you can map it (bridge it) through the IPS to another vlan (eg: vlan 150).

- So on IPS --> vlan 50 pairs with vlan 150

- All inside hosts are assigned to vlan 50, and its default gateway is assigned to vlan 150, hence the traffic will pass through the IPS in bridge/transparent mode.

Then you can configure the same for DMZ and outside subnet.

Hope that helps.

Could you please prepare a drawing for yr suggestions in order to use as a sample?

Thanks

Please find the vlan pairing and trunk for the IPS sensing interface diagram. The example diagram is for inside subnet, and you can replicate the same for DMZ and Outside.

Hope that helps.

Thanks Freind

1)so I need 3 sensing interface acting as trunk for 1 for inside and 1 for outside and 1 for dmz

2)Why i have 2 different vlan and the same IP Subnet?what is the reason for that?how the inspection work?

Thanks

mate,so if i have route from the asa toward the internet router so now route is in place  so  i need interface pair not vlan pair coz i have route,is that true?

Interface pair means you have to use a pair of the IPS interfaces, ie: one connects to the ASA and the other connects to the router, basically to ensure that traffic that needs to be inspected is passing through the IPS.

You are not limited to use interface pair, you can also use VLAN pair in your ASA to Internet router scenario. Basically the ASA vlan and the router vlan needs to be different with ASA and router in the same subnet, to force traffic through the IPS.

Example:

ASA outside IP is 200.1.1.1 -- vlan 10

Router interface IP is 200.1.1.2 -- vlan 110

IPS - pairing vlan 10 to vlan 110

1) Correct, but again, it depends on how you physically and logically connect the IPS in your network.

2) For vlan pair scenario, you would need to have 2 vlans bridging the traffic just like transparent firewall for example, so the traffic is forced to go through the IPS. If you only have 1 VLAN, traffic will directly go to its default gateway, hence will not pass through the IPS appliance.

Hope that answers your questions.

Hello freind

why 2 different vlan while one single subnet,how the logic goes?

Do u have different IPS deployment including connectivitys

Thanks

Can't really find a sample config on IPS, however, here is sample config on the concept on transparent firewall which is exactly what IPS is:

Interface pair (on ASA firewall): http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

VLAN pair (FWSM): http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/exampl_f.html#wp1029042

For VLAN pair example, just check the diagram, and basically 1 subnet, and vlan pairing basically to force the traffic to go through the firewall/IPS. Since all hosts are on all 1 layer 3 subnet, it will ARP for the ip address, and if the default gateway is on the other side of the IPS/firewall, the traffic is forced to traverse through the appliance to get to its default gateway. Hence forcing the traffic to be inspected by the IPS. Otherwise, there is no other way to force traffic to pass through the IPS as IPS is layer 2 device (sensing interface is L2), not a routed device.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: