Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA and RSPAN

Hi all,

I am looking at implementing an ASA system for multiple branches (17) in a client site.

I know that the ASA 5510 can have the AIP-SSM module installed, where the 5505 cannot. I want to be able to offer firewall, an IPSEC VPN back to the hub site and IPS in a promiscious mode. I believe the ASA 5510 w/ AIP-SSM can do this.

I would ideally place the ASA at the ingress point to the brach office to monitor traffic coming into the branch office and use RSPAN to forward all traffic from a sensitive VLAN mirrored to a capture port on the ASA. I'm assuming this can be done, but I would like to make sure.

So, in a nutshell, can the ASA act as a border firewall AND be used to perform IPS functionality on an RSPAN port, where the 4 switches (4 different closets) forward all traffic via the RSPAN port into the ASA AIP-SSM card?

Thanks.

6 REPLIES
Gold

Re: ASA and RSPAN

no

Community Member

Re: ASA and RSPAN

Why not!? I have used an ASA as an fw, VPN termination and IPS device no problem....

Dazzler

Community Member

Re: ASA and RSPAN

Hang on, have re-read the post. I think I know where you are coming from, there is no promiscous port to SPAN to. You can however use IPS on traffic passing through the firewall....

Community Member

Re: ASA and RSPAN

So would there be any way to monitor the traffic going on inside the branch office? Would getting a seperate IPS the only way?

Gold

Re: ASA and RSPAN

yes

Community Member

Re: ASA and RSPAN

Hi rhermes,

Could you possibly expand on your answer? Is it because I am trying to do passive monitoring? Could I do in-line monitoring in this scenario instead?

Thanks

763
Views
2
Helpful
6
Replies
CreatePlease to create content