ASA 5510 Config Question

brobertson · ‎03-09-2007

We have an ASA 5510 with AIP-SSM10 and will be migrating 515E ruleset in the future. For right now I want to use the ASA behind the PIX as a bridge in order to use the IPS functionality. Would tranparent mode with access lists that allow all traffic both directions work in this situation? I don't want to drop any packets, just mirror traffic to IPS for inspection and alerting.

Thanks

suschoud · ‎03-09-2007

hi ,

this seems to be a good solution.

this link gives you extensive information ,how transparent mode works.

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/fwmode.htm

it's basicaly "bump in the wire" or " stealth firewall " ..

hope this helps!!

Sushil

Cisco TAC

brobertson · ‎03-09-2007

Thanks for the reply Sushil, I read that document but still have a few questions that maybe you could help me with?

Could I assign a security-level of 100 to both interfaces and check the box to "allow communications between interfaces with the same security level" or just use the permit any,any access lists?

I followed instructions exactly to forward all traffic to AIP-SSM for inspection but recieve an error. Here is my config.

I would appreciate any input.

Thank you very much

ACCESS LISTS

ASA5510# sh access-list

access-list Inside_access_in extended permit ip any any

access-list Inside_access_out extended permit ip any any

access-list Outside_access_out extended permit ip any any

access-list Outside_access_in extended permit ip any any

access-list IPS extended permit ip any any

AIP SSM CONFIG

ASA5510(config)# access-list IPS permit ip any any

ASA5510(config)# class-map lwc-ips-class

ASA5510(config-cmap)# match access-list IPS

ASA5510(config-cmap)# policy-map lwc-ips-policy

ASA5510(config-pmap)# class lwc-ips-class

ASA5510(config-pmap-c)# ips promiscuous fail-open

ASA5510(config-pmap-c)# service-policy lwc-ips-policy global

ERROR: Policy map global_policy is already configured as a service policy

suschoud · ‎03-09-2007

Could I assign a security-level of 100 to both interfaces and check the box to "allow communications between interfaces with the same security level" or just use the permit any,any access lists?

----yes.you can do this.

AIP SSM CONFIG

ASA5510(config)# access-list IPS permit ip any any

ASA5510(config)# class-map lwc-ips-class

ASA5510(config-cmap)# match access-list IPS

ASA5510(config-cmap)# policy-map lwc-ips-policy

ASA5510(config-pmap)# class lwc-ips-class

ASA5510(config-pmap-c)# ips promiscuous fail-open

ASA5510(config-pmap-c)# service-policy lwc-ips-policy global

ERROR: Policy map global_policy is already configured as a service policy

___ans:

ASA-5520-CSC-Standalone(config)# access-list IPS extended permit ip any any

ASA-5520-CSC-Standalone(config)#

ASA-5520-CSC-Standalone(config)# class-map lwc-ips-class

ASA-5520-CSC-Standalone(config-cmap)# match access-list IPS

ASA-5520-CSC-Standalone(config-cmap)# exit

ASA-5520-CSC-Standalone(config)# policy-map global_policy

ASA-5520-CSC-Standalone(config-pmap)# class lwc-ips-class

ASA-5520-CSC-Standalone(config-pmap-c)# ips promiscuous fail-open

ASA-5520-CSC-Standalone(config-pmap-c)# exit

ASA-5520-CSC-Standalone(config-pmap)# exit

ASA-5520-CSC-Standalone(config)# service-policy global_policy global

HTH..

Regards,

Sushil

Cisco TAC