IP address for AIP- IPS in ASA5520

bob.bhakta · ‎07-14-2010

This is a pretty dumb question, and may have already the answer, but none the less... Does it matter the IP address i assign to the IPS module? I mean of course it is an IP address on the inside but does it matter if it is a part of the normal data subnet we have allocated? i was think of giviing the IPS module an IP address on our network management subnet?

Greatly appreciate the feedback in advance.. and plze be brutally honest.. as

terrygwazdosky · ‎07-14-2010

As it's just for management you can give it any IP you want. I have a seperate VLAN for my IPS sensors, but putting it in your management network is just fine too. If you want to enable auto updates make sure there is a NAT setup for it's IP to access the outside.

rhermes · ‎07-14-2010

The Management IP address you assign to the AIP-SSM module will be assigned to that external ethernet interface jack on the module.

Whatever network you'd like to connect that interface to will help decide what network the address will live in.

Personally, I'd keep it within a management network if possible. You don;t need to expose it to production traffic. Every now and then there is a DoS vulnerbility on the management interfaces of devices, you can avoid your exposure to them if you have a segerated management network.

- Bob