transparent mode with AIP-SSM-20

Answered Question

I currently have an ASA5510 in routed mode with an AIP-SSM-20.

There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.


However, this will remove the IPS device, and I still want to use IPS.

So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.


Setup would look something like this:


Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN


Can the AIP-SSM still perform IPS with the ASA in transparent mode?


Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?

I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.


Regards.

Correct Answer by Marcin Latosiewicz about 7 years 2 weeks ago

AFAIR, There is no problem to setup AIP in a transparent firewall.


"An ASA in transparent mode can run an AIP.  In the event the AIP fails,

the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop.  You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."


And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744




What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html


HTH,

Marcin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Marcin Latosiewicz Sun, 06/13/2010 - 02:21
User Badges:
  • Cisco Employee,

AFAIR, There is no problem to setup AIP in a transparent firewall.


"An ASA in transparent mode can run an AIP.  In the event the AIP fails,

the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop.  You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."


And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744




What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html


HTH,

Marcin

Actions

This Discussion