03-09-2007 05:47 AM - edited 03-11-2019 02:44 AM
We have an ASA 5510 with AIP-SSM10 and will be migrating 515E ruleset in the future. For right now I want to use the ASA behind the PIX as a bridge in order to use the IPS functionality. Would tranparent mode with access lists that allow all traffic both directions work in this situation? I don't want to drop any packets, just mirror traffic to IPS for inspection and alerting.
Thanks
03-09-2007 05:59 AM
hi ,
this seems to be a good solution.
this link gives you extensive information ,how transparent mode works.
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/fwmode.htm
it's basicaly "bump in the wire" or " stealth firewall " ..
hope this helps!!
Sushil
Cisco TAC
03-09-2007 12:53 PM
Thanks for the reply Sushil, I read that document but still have a few questions that maybe you could help me with?
Could I assign a security-level of 100 to both interfaces and check the box to "allow communications between interfaces with the same security level" or just use the permit any,any access lists?
I followed instructions exactly to forward all traffic to AIP-SSM for inspection but recieve an error. Here is my config.
I would appreciate any input.
Thank you very much
ACCESS LISTS
ASA5510# sh access-list
access-list Inside_access_in extended permit ip any any
access-list Inside_access_out extended permit ip any any
access-list Outside_access_out extended permit ip any any
access-list Outside_access_in extended permit ip any any
access-list IPS extended permit ip any any
AIP SSM CONFIG
ASA5510(config)# access-list IPS permit ip any any
ASA5510(config)# class-map lwc-ips-class
ASA5510(config-cmap)# match access-list IPS
ASA5510(config-cmap)# policy-map lwc-ips-policy
ASA5510(config-pmap)# class lwc-ips-class
ASA5510(config-pmap-c)# ips promiscuous fail-open
ASA5510(config-pmap-c)# service-policy lwc-ips-policy global
ERROR: Policy map global_policy is already configured as a service policy
03-09-2007 01:17 PM
Could I assign a security-level of 100 to both interfaces and check the box to "allow communications between interfaces with the same security level" or just use the permit any,any access lists?
----yes.you can do this.
AIP SSM CONFIG
ASA5510(config)# access-list IPS permit ip any any
ASA5510(config)# class-map lwc-ips-class
ASA5510(config-cmap)# match access-list IPS
ASA5510(config-cmap)# policy-map lwc-ips-policy
ASA5510(config-pmap)# class lwc-ips-class
ASA5510(config-pmap-c)# ips promiscuous fail-open
ASA5510(config-pmap-c)# service-policy lwc-ips-policy global
ERROR: Policy map global_policy is already configured as a service policy
___ans:
ASA-5520-CSC-Standalone(config)# access-list IPS extended permit ip any any
ASA-5520-CSC-Standalone(config)#
ASA-5520-CSC-Standalone(config)# class-map lwc-ips-class
ASA-5520-CSC-Standalone(config-cmap)# match access-list IPS
ASA-5520-CSC-Standalone(config-cmap)# exit
ASA-5520-CSC-Standalone(config)# policy-map global_policy
ASA-5520-CSC-Standalone(config-pmap)# class lwc-ips-class
ASA-5520-CSC-Standalone(config-pmap-c)# ips promiscuous fail-open
ASA-5520-CSC-Standalone(config-pmap-c)# exit
ASA-5520-CSC-Standalone(config-pmap)# exit
ASA-5520-CSC-Standalone(config)# service-policy global_policy global
HTH..
Regards,
Sushil
Cisco TAC
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: