Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5525x, ASA CX 9.2 IPS Filtering

Hello,

Recently a client migrated to ASA 5525x, ASA OS 9.1(1). The task now is to implement Intrusion Prevention System and keeping the ASA CX module. From what I've read do far both software modules IPS and CX can't run simultaneously on one ASA, so my first question is "Is that true?".

Also I see that the ASA CX 9.2(1.1) Build 48 is the first release that offers IPS Filtering. Anyone knows how close is that CX feature to the actual IPS module? I can't find anything spesiffic on that matter. In the release for "ASA CX and Cisco Prime Security Manager 9.2" it's said: " Next Generation IPS filtering is a separately-licensed service...". Does that means that if I upgrade to ASA CX 9.2 the IPS Filtering won't be enabled? What kind of license is needed if that is the case?

The bottom line question is if there is a different way to achieve keeping both CX and IPS, other than run the ASA CX on the firewall and adding separate IPS device to the network.

Thank you in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

ASA 5525x, ASA CX 9.2 IPS Filtering

Release Notes for 9.2 go into the features.

http://www.cisco.com/c/en/us/td/docs/security/asacx/roadmap/asacxprsm_new_features.html#wp43613

The Data Sheet Tells you which part number to order:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-701659.html

I ordered L-ASA5525-AW5Y= previously and wanted to add the NG IPS piece to this.  I was told to order L-ASA5525-IPS-SSP.  That is NOT the correct part number as you point our the CX module and IPS module can not run simultaneously.

The data sheet only has AVC and WSE or AVC, WSE, IPS.  Not individual licenses.  So IF you have already ordered the AVC and WSE piece of this I am not sure what part number you need to order to add only the IPS, but the NG IPS will be on the CX module.

So yes you can run AVC, WSE, and IPS on the CX module without purchasing an additional IPS.

CJ

6 REPLIES

ASA 5525x, ASA CX 9.2 IPS Filtering

As of now you can run CX or IPS but not both.

in the new release 9.2 talk about support IPS filtering..

http://www.cisco.com/en/US/partner/docs/security/asacx/roadmap/asacxprsm_new_features.html

New Member

ASA 5525x, ASA CX 9.2 IPS Filtering

Yes, I've read the document and the second paragraph in my question is regarding its contents.

New Member

This is what we purchased, an

This is what we purchased, an ASA with the 120 SSD and the IPS Service license for the CX module:

ASA5512-SSD120-K9

L-ASA5512-IP1Y=

 

However, we had intended to buy the classic IPS module, but were told to get this instead by our vendor.  We in the process of trying to figure out which is best for our client who only wants IPS.

New Member

Hi, The CX IPS (Next

Hi,

 

The CX IPS (Next Generation IPS) is completely different from the classic IPS SSP. It offers fewer threat signatures (800 as of today), it can't be managed through IDM, IME or CSM and offers no signature customization options. 

The only option which can be controlled is if is "on" or "off" globally, and for a specific policy. Moreover, there is little to no documentation available.

 

Radu

New Member

ASA 5525x, ASA CX 9.2 IPS Filtering

Release Notes for 9.2 go into the features.

http://www.cisco.com/c/en/us/td/docs/security/asacx/roadmap/asacxprsm_new_features.html#wp43613

The Data Sheet Tells you which part number to order:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-701659.html

I ordered L-ASA5525-AW5Y= previously and wanted to add the NG IPS piece to this.  I was told to order L-ASA5525-IPS-SSP.  That is NOT the correct part number as you point our the CX module and IPS module can not run simultaneously.

The data sheet only has AVC and WSE or AVC, WSE, IPS.  Not individual licenses.  So IF you have already ordered the AVC and WSE piece of this I am not sure what part number you need to order to add only the IPS, but the NG IPS will be on the CX module.

So yes you can run AVC, WSE, and IPS on the CX module without purchasing an additional IPS.

CJ

New Member

this link is somehting I

this link is somehting I stumbled across that will address the IPS licensing piece for the CX

https://supportforums.cisco.com/sites/default/files/legacy/8/9/7/15376798-Cisco%20ASA%20NGFW%20Cheat%20Sheet.pdf

 

2828
Views
5
Helpful
6
Replies