Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1240
Views
0
Helpful
2
Replies

transparent mode with AIP-SSM-20

Go to solution
smperry
Level 1
Level 1

‎06-12-2010 11:00 AM - edited ‎03-10-2019 05:01 AM

I currently have an ASA5510 in routed mode with an AIP-SSM-20.

There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.

However, this will remove the IPS device, and I still want to use IPS.

So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.

Setup would look something like this:

Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN

Can the AIP-SSM still perform IPS with the ASA in transparent mode?

Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?

I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.

Regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-13-2010 02:21 AM

AFAIR, There is no problem to setup AIP in a transparent firewall.

"An ASA in transparent mode can run an AIP.  In the event the AIP fails,

the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop.  You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."

And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744

What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

HTH,

Marcin

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-13-2010 02:21 AM

AFAIR, There is no problem to setup AIP in a transparent firewall.

"An ASA in transparent mode can run an AIP.  In the event the AIP fails,

the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop.  You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."

And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744

What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

HTH,

Marcin

0 Helpful

Go to solution
smperry
Level 1
Level 1
In response to Marcin Latosiewicz

‎06-14-2010 11:57 AM

Thank you for the info.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card