11-03-2008 11:02 AM - edited 03-10-2019 04:21 AM
Hi all,
I am looking at implementing an ASA system for multiple branches (17) in a client site.
I know that the ASA 5510 can have the AIP-SSM module installed, where the 5505 cannot. I want to be able to offer firewall, an IPSEC VPN back to the hub site and IPS in a promiscious mode. I believe the ASA 5510 w/ AIP-SSM can do this.
I would ideally place the ASA at the ingress point to the brach office to monitor traffic coming into the branch office and use RSPAN to forward all traffic from a sensitive VLAN mirrored to a capture port on the ASA. I'm assuming this can be done, but I would like to make sure.
So, in a nutshell, can the ASA act as a border firewall AND be used to perform IPS functionality on an RSPAN port, where the 4 switches (4 different closets) forward all traffic via the RSPAN port into the ASA AIP-SSM card?
Thanks.
11-03-2008 11:15 AM
no
11-03-2008 11:33 AM
Why not!? I have used an ASA as an fw, VPN termination and IPS device no problem....
Dazzler
11-03-2008 11:35 AM
Hang on, have re-read the post. I think I know where you are coming from, there is no promiscous port to SPAN to. You can however use IPS on traffic passing through the firewall....
11-03-2008 11:39 AM
So would there be any way to monitor the traffic going on inside the branch office? Would getting a seperate IPS the only way?
11-03-2008 12:31 PM
yes
11-03-2008 03:29 PM
Hi rhermes,
Could you possibly expand on your answer? Is it because I am trying to do passive monitoring? Could I do in-line monitoring in this scenario instead?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide