Running into what appears to be an insurmountable obstacle in this environment.
I have an ASA 5512-X in place as the edge firewall and want to use the IDS module. The inside is 2 "flat" networks - that is, their default gateway points to the ASA itself (on 2 different interfaces). ASA is the only Layer 3 device on premise.
IDS module is added and configured as 192.168.1.2 on the management network (ASA itself is 192.168.1.1). Two other networks exist inside - wired and wireless.
I can reach the IDS module only if I'm directly on the management network, regardless of whether I am using ASDM directly to the IDS module or am connecting to the ASA first, then using the ASDM GUI to manage the IDS. Latter fails if I am in a network other than the management network (appears the ASA is too stupid to correctly use the management interface - it uses the same source IP presumably).
Putting the IDS module into the wired network directly does not work - it is unresponsive to telnet, ssh and ASDM communication either directly or (in the case of ASDM) from the ASA unless it is on the management network. This is consistent with documentation on the mac address / IP for the IPS module being off the management interface.
So, questions are:
- Essentially this means the IDS module *requires* an additional router on the inside unless I'm willing to have the user hard-wire into the management network every time he connects? I see no other way to access/manage the device.
- How does this affect the IDS module communication for sig updates and license checks to Cisco.com? Even if I were to add an additional router on the inside (and hop off that to the ASA), it'd fail because the ASA would see this as a directly connected route on the return path, and drop the traffic since it won't route traffic to/from the management interface.
There has to be a better way than "slap another routing device on your network". And even if we did with an inexpensive router, I don't see it addressing the second concern. Am I missing something here?