Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5510 with AIP-SSM deployment question


I am slightly confused about this kit. We just want to implement ASA 5510 as IDS at the moment ;doing no more than just watching Traffic from one Vlan. My questions are

1) I have configured it in Promis. mode. I have configured Port Span on the switch with source as vlan 168 and destination as Gig 0/1 on the ASA box.

-->Can I use just this interface to sense the traffic with No Inside or outside interface defined.?

2)I have configured Service Policy through ADSM and assigned Gig 0/1 to Virtual sensor

---> It just shows Gig 0/1 under VS0 why is that ? does this mean I can use only one interface for Promis. mode?

3)The Live Monitoring in GUI was showing absolutely no traffic on Gig 0/1. The Span was ok but not sure why this didn't get any traffic.

when I connected a machine directly to gig 0/1 and did a packet capture I could see packets there.

Am I missing anyhting here??? ANy help on this will be greatly appreciated.



Community Member

Re: ASA5510 with AIP-SSM deployment question


Check out my previous post which steps through how to get the IPS module working inside an ASA appliance.

This should help you get it working properly. Please remember to rate helpful posts. Thanks!


Community Member

Re: ASA5510 with AIP-SSM deployment question

Hi Jon

Thanks for your reply. I have seen your previous post and the Links as well. All the examples show configuration with Inside,Outside interface which is different to what I am trying to achieve here. I just want to use Gig 0/1 as sensor receiving Spanned Traffic. Probably the answer is simple but I failed to see any traffic on Gig 0/1 when deployed this way. And yes I has policy directing 'Any Traffic' to it.



Community Member

Re: ASA5510 with AIP-SSM deployment question

I believe in order to get this scenario to work, the ASA will need to be placed inline via Layer 2. I don't believe hanging it off of a SPAN port will work.

I believe this is done by tying two separate VLANs together into a single broadcast domain via the ASA. Once the ASA is inline as such, it should see all of the Layer 2 traffic, and send the appropriate traffic to the IPS via the service-policy. Hope this helps.

CreatePlease to create content