Configuring IPS on an ASA across a trunk link

darragh long · ‎09-07-2010

Hi Folks,

I want to configure a new asa 5510 with a SSM module to carry out IPS/IDS across a trunk.

At present, ssl traffic comes in from the internet through an external firewall, down through a web switch to a CSS where the ssl terminates. The traffic is then load balanced to a number of webservers, all of which are connected to the same web switch. this is probably better explained in the attached diagram.

Ideally I would like to place the asa (with ssm module) between the web switch and the css (on the trunk link in the diagram) and have it carry out ids/ips on two vlans (carrying the unencrypted traffic) and not carry out ids on the encrypted traffic, although if needs be i can just tune out alerts for the encrypted traffic.

Is it possible to do this with the asa in transparent mode, using Inline VLAN pairs?

Thanks in advance,

Darragh

praprama · ‎09-07-2010

Hey Darragh,

Inline VLAN pairs are not supported on AIP SSMs if i am not mistaken. But if you would like to monitor only 2 VLANs, you can configure the module in inline mode and use an ACL to specify what traffic to send to the IPS from the ASA. Here is a config guide:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html

Hope this helps!!

Thanks and Regards,
Prapanch

praprama · ‎09-07-2010

Also, to see how an AIP SSM works with an ASA, here is a document:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ssm.html#wp1087140

Regards,

Prapanch

darragh long · ‎09-08-2010

Hi Prapanch,

Many thanks for your replies - Unfortunately, I think you are right that inline vlan pairs are not supported on the SSM.

One thing I am still not clear on from the documents you linked to is whether a topology like this:

Server ----> ASA(Transparent mode with SSM) ----> CSS

will allow IPS to work correctly, when the Server and CSS are both on the same Vlan, and when the links from the ASA are both trunks?

I would have expected to use inline vlan pairs in this scenario, but that's not an option when the hardware is a SSM

I know that the ASA could be put in routed mode, and that this should work once the IP addressing of the Server or CSS was changed, but I'm curious if it can be achieved with the asa in transparent mode.

thanks again for your help!

Darragh

praprama · ‎09-08-2010

Hey Darragh,

Well with inline vlan pairs, the IPS will understand VLAN tagging on trunk links and will be able to change that as per the configuration. But in our case, if we use the IPS module on the trunk link (w/o the inline vlan pair as it is not supported) i do not see any reaon why it will not work.

It should just process the packet without bothering about the VLAN tag in the header. Also, i don't think the transparent firewall is going to make any difference. It should work just fine. I guess the only way to test it will be to actually configure it. Let me know how it goes.

Regards,

prapanch

darragh long · ‎09-10-2010

Thanks again Prapanch - I'll test that setup and let you know how it works!

praprama · ‎09-17-2010

Hey Darragh,

Did you manage to implement and test this setup?

Regards,

Prapanch

darragh long · ‎09-28-2010

Hi Prapanch,

Haven't been able to test this yet unfortunately - still waiting for a change window. I'll let you know once we do.