Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 Config Question

We have an ASA 5510 with AIP-SSM10 and will be migrating 515E ruleset in the future. For right now I want to use the ASA behind the PIX as a bridge in order to use the IPS functionality. Would tranparent mode with access lists that allow all traffic both directions work in this situation? I don't want to drop any packets, just mirror traffic to IPS for inspection and alerting.

Thanks

3 REPLIES
Cisco Employee

Re: ASA 5510 Config Question

hi ,

this seems to be a good solution.

this link gives you extensive information ,how transparent mode works.

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/fwmode.htm

it's basicaly "bump in the wire" or " stealth firewall " ..

hope this helps!!

Sushil

Cisco TAC

New Member

Re: ASA 5510 Config Question

Thanks for the reply Sushil, I read that document but still have a few questions that maybe you could help me with?

Could I assign a security-level of 100 to both interfaces and check the box to "allow communications between interfaces with the same security level" or just use the permit any,any access lists?

I followed instructions exactly to forward all traffic to AIP-SSM for inspection but recieve an error. Here is my config.

I would appreciate any input.

Thank you very much

ACCESS LISTS

ASA5510# sh access-list

access-list Inside_access_in extended permit ip any any

access-list Inside_access_out extended permit ip any any

access-list Outside_access_out extended permit ip any any

access-list Outside_access_in extended permit ip any any

access-list IPS extended permit ip any any

AIP SSM CONFIG

ASA5510(config)# access-list IPS permit ip any any

ASA5510(config)# class-map lwc-ips-class

ASA5510(config-cmap)# match access-list IPS

ASA5510(config-cmap)# policy-map lwc-ips-policy

ASA5510(config-pmap)# class lwc-ips-class

ASA5510(config-pmap-c)# ips promiscuous fail-open

ASA5510(config-pmap-c)# service-policy lwc-ips-policy global

ERROR: Policy map global_policy is already configured as a service policy

Cisco Employee

Re: ASA 5510 Config Question

Could I assign a security-level of 100 to both interfaces and check the box to "allow communications between interfaces with the same security level" or just use the permit any,any access lists?

----yes.you can do this.

AIP SSM CONFIG

ASA5510(config)# access-list IPS permit ip any any

ASA5510(config)# class-map lwc-ips-class

ASA5510(config-cmap)# match access-list IPS

ASA5510(config-cmap)# policy-map lwc-ips-policy

ASA5510(config-pmap)# class lwc-ips-class

ASA5510(config-pmap-c)# ips promiscuous fail-open

ASA5510(config-pmap-c)# service-policy lwc-ips-policy global

ERROR: Policy map global_policy is already configured as a service policy

___ans:

ASA-5520-CSC-Standalone(config)# access-list IPS extended permit ip any any

ASA-5520-CSC-Standalone(config)#

ASA-5520-CSC-Standalone(config)# class-map lwc-ips-class

ASA-5520-CSC-Standalone(config-cmap)# match access-list IPS

ASA-5520-CSC-Standalone(config-cmap)# exit

ASA-5520-CSC-Standalone(config)# policy-map global_policy

ASA-5520-CSC-Standalone(config-pmap)# class lwc-ips-class

ASA-5520-CSC-Standalone(config-pmap-c)# ips promiscuous fail-open

ASA-5520-CSC-Standalone(config-pmap-c)# exit

ASA-5520-CSC-Standalone(config-pmap)# exit

ASA-5520-CSC-Standalone(config)# service-policy global_policy global

HTH..

Regards,

Sushil

Cisco TAC

176
Views
0
Helpful
3
Replies