Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5525-X IPS Deployment

I need some guidance on implementing Cisco ASA-525X IPS. I have a dedicated firewalls performing access controls and now have to implement a dedicated IPS on ASA-5525X. So in this case on my ASA IPS

a) I still need to create and bind ACL's (with full access since there is a dedicated firewall for access control) on all interfaces right?

b) What is the recommended way of IPS class-map acl creation? Is there any issue by defining acl's with permit ip any any?

  • Intrusion Prevention Systems/IDS
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: ASA 5525-X IPS Deployment

If you want to use your ASA only as an IPS then all access-control has to be "permit any any". You even can activate state-bypass to remove any firewalling on that ASA. And when you go into transparent mode, it's quite similar to that what is done with the dedicated IPS-appliances.

On your service-policy you can use also "permit ip any any" to send all traffic to the ips-module.


Sent from Cisco Technical Support iPad App

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
3 REPLIES
VIP Purple

Re: ASA 5525-X IPS Deployment

If you want to use your ASA only as an IPS then all access-control has to be "permit any any". You even can activate state-bypass to remove any firewalling on that ASA. And when you go into transparent mode, it's quite similar to that what is done with the dedicated IPS-appliances.

On your service-policy you can use also "permit ip any any" to send all traffic to the ips-module.


Sent from Cisco Technical Support iPad App

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

ASA 5525-X IPS Deployment

How can I activate state-bypass to remove firewalling on ASA?

VIP Purple

ASA 5525-X IPS Deployment

It's configured in an TCP-Map:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_connlimits.html

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
969
Views
0
Helpful
3
Replies
This widget could not be displayed.