Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 AIP-SSM Layer 2 Mode


It has been suggested to me that I could use the ASA5510 with an AIP-SSM module to perform full IPS functions in layer 2 only mode behind a Microsoft TMG server firewall.

I don't require NAT, or any other routing function, just the IPS function.

Has anyone used the ASA like this?  Is it possible? Any suggestions?



Everyone's tags (4)

ASA 5510 AIP-SSM Layer 2 Mode

Yes it's mostly possible. We run some of our ASA/AIP-SSM devices like this. The main motivation is the low cost of this bundle. You need to disable as much of the firewall functionality as possible (and some things it does you can't turn off, but they're minor).

If you were planning on making this an in-line sensor, there aren't too many drawbacks (additional ASA OS to babysit, upgrade, additional Ethernet interface for mgmt, etc). But if you wanted to use this as a promiscuous mode IDS you still need to run your traffic thru the box. There is no way to use the ASA with a span port or tap. As a result any outage of the ASA (reboot after you upgraded that OS) will result in a network outage. Reboot that IPS sensor, network outage. (unless you remove the IPS config from the ASA first = PITA).

- Bob