09-07-2010 08:34 AM - edited 03-10-2019 05:07 AM
Hi Folks,
I want to configure a new asa 5510 with a SSM module to carry out IPS/IDS across a trunk.
At present, ssl traffic comes in from the internet through an external firewall, down through a web switch to a CSS where the ssl terminates. The traffic is then load balanced to a number of webservers, all of which are connected to the same web switch. this is probably better explained in the attached diagram.
Ideally I would like to place the asa (with ssm module) between the web switch and the css (on the trunk link in the diagram) and have it carry out ids/ips on two vlans (carrying the unencrypted traffic) and not carry out ids on the encrypted traffic, although if needs be i can just tune out alerts for the encrypted traffic.
Is it possible to do this with the asa in transparent mode, using Inline VLAN pairs?
Thanks in advance,
Darragh
09-07-2010 09:05 AM
Hey Darragh,
Inline VLAN pairs are not supported on AIP SSMs if i am not mistaken. But if you would like to monitor only 2 VLANs, you can configure the module in inline mode and use an ACL to specify what traffic to send to the IPS from the ASA. Here is a config guide:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html
Hope this helps!!
Thanks and Regards,
Prapanch
09-07-2010 09:06 AM
Also, to see how an AIP SSM works with an ASA, here is a document:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ssm.html#wp1087140
Regards,
Prapanch
09-08-2010 08:22 AM
Hi Prapanch,
Many thanks for your replies - Unfortunately, I think you are right that inline vlan pairs are not supported on the SSM.
One thing I am still not clear on from the documents you linked to is whether a topology like this:
Server ----> ASA(Transparent mode with SSM) ----> CSS
will allow IPS to work correctly, when the Server and CSS are both on the same Vlan, and when the links from the ASA are both trunks?
I would have expected to use inline vlan pairs in this scenario, but that's not an option when the hardware is a SSM
I know that the ASA could be put in routed mode, and that this should work once the IP addressing of the Server or CSS was changed, but I'm curious if it can be achieved with the asa in transparent mode.
thanks again for your help!
Darragh
09-08-2010 08:46 PM
Hey Darragh,
Well with inline vlan pairs, the IPS will understand VLAN tagging on trunk links and will be able to change that as per the configuration. But in our case, if we use the IPS module on the trunk link (w/o the inline vlan pair as it is not supported) i do not see any reaon why it will not work.
It should just process the packet without bothering about the VLAN tag in the header. Also, i don't think the transparent firewall is going to make any difference. It should work just fine. I guess the only way to test it will be to actually configure it. Let me know how it goes.
Regards,
prapanch
09-10-2010 05:47 AM
Thanks again Prapanch - I'll test that setup and let you know how it works!
09-17-2010 01:05 AM
Hey Darragh,
Did you manage to implement and test this setup?
Regards,
Prapanch
09-28-2010 01:56 AM
Hi Prapanch,
Haven't been able to test this yet unfortunately - still waiting for a change window. I'll let you know once we do.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide