Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Cisco IPS | Physical Network Integration

Cisco IPS | Physical Network Integration

Recently we bought 2 IPS while we have the below topology,we need to protect our self from the ravage of the internet

Active-ISP-ROUTER-1----------ACTIVE-ASA5520------------CORE-1

Standby-ISP-ROUTER-2 ----------Standby-ASA5520-----------CORE-2

how to intergreate these 2 IPSs on my network according the above  topology. how to Physically cable these IPS with the current topology ,pls note i need it inline mode

Thanks

jamil

Everyone's tags (5)
15 REPLIES
VIP Purple

Cisco IPS | Physical Network Integration

The easiest way to integrate an IPS-Appliance is to cable it between the ASA and the switch and build an Inline-Interface-pair in the IPS.

Another possibility is to use an inline-vlan-pair. But there you have to reconfigure the VLANs between Core and ASA.

But why didn't you by the AIP-SSM for the ASAs?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

Cisco IPS | Physical Network Integration

Hi Karsten

thanks for ur reply

can y provide me a sample viso diagram for this topology along with neseecary interfaces

thanks

jamil

VIP Purple

Re: Cisco IPS | Physical Network Integration

There is no visio needed for that, the sensor is just physically inline:

ASA <---------------> Sensor <--------------> Core-Switch

inside-int        g0/0      g0/1          prev-int-to-ASA

On the Sensor, g0/0 and g0/1 build an inline-pair.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

Cisco IPS | Physical Network Integration

Hi Karstin

my freind, am new in the IPS World pls ur help

Pls can y draw for me a viso file with redaundant IPSs accoridng to ur last post and the input i gave

I do appreciate ur time

jamil

VIP Purple

Re: Cisco IPS | Physical Network Integration

post a detailed diagram of your actual setup. Then let's see how to integrate the IPS. And which IPS-sensors did you buy?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

Cisco IPS | Physical Network Integration

Hi Karsten

attached diagram Pls help according my input

thanks

VIP Purple

Re: Cisco IPS | Physical Network Integration

attached diagram Pls help according my input

That's exactly how you can integrate the sensor in your setup. So, what information do you need?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

Re: Cisco IPS | Physical Network Integration

Hi Karsten

what about the High Avaliblity between IPSs?

how the config would be in these COREs related to IPSs and how the VLAN must be assigned?

pls a config

thanks

Jamil

VIP Purple

Re: Cisco IPS | Physical Network Integration

what about the High Avaliblity between IPSs?

There is no HA *between* these IPS. IPS2 doesn't know the state of IPS1. You have two paths which gives you the HA. If the IPS behind the active ASA fails then that ASA fails over to the second path and your traffic continues. In such a setup you could disable the IPS-Normalizer so that ongoing sessions don't need to be reastablished.

how the config would be in these COREs related to IPSs and how the VLAN must be assigned?

No changes here. You can use the same settings for the IPS which you used to connect your ASA.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

Re: Cisco IPS | Physical Network Integration

Hi karsten
I don't find any configuration for my scenario over the Internet to use it as a reference to my setup

do u have any documents related to my scenario?

thanks

jamil

VIP Purple

Re: Cisco IPS | Physical Network Integration

The most relevant documents are the Install- and Configuration-Guide:

http://www.cisco.com/en/US/docs/security/ips/7.0/installation/guide/hwguide7.html

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idmguide7.html

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cliguide7.html

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/imeguide7.html

But keep in mind that IPS is one of the most complex security-controls that you can implement. You should ask your manager for a training on the system:

http://tools.cisco.com/GlobalLearningLocator/courseDetails.do?actionType=executeCourseDetail&courseID=5625

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

Re: Cisco IPS | Physical Network Integration

Hi karsten
thanks a lot for ur time to reply to my post

i have IPS 4255 with version 6 , can u upgrade it to version 7 using the below code

IPS-K9-7.0-4-E4.pkg

thanks

jamil

VIP Purple

Re: Cisco IPS | Physical Network Integration

Yes, but you should use v7.0-8 as the version 7.0-4 should not be used any more (support ended for the release).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

Re: Cisco IPS | Physical Network Integration

thanks for ur reply

i have seted up these IPS on the Internet edge as with interface Pair,now what signature should i enable on this senser?

thanks

VIP Purple

Re: Cisco IPS | Physical Network Integration

Setting up and tuning a sensor is a very time-consuming task and typically takes a couple of days. So it should be best for you to use the default-signature-set where Cisco has a preconfiguration that suits many customers. It's likely that it also works for you. Now it's on you to learn how the system works and how to tune it for your individual need.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

636
Views
29
Helpful
15
Replies
CreatePlease to create content