Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA 5512

Hi Guys,

 

I have a basic setup.

 

I have a cisco ASA5512 Gig0 is connected to the internet

Gig1 is the 'inside' network which has an ip of 192.168.35.254 this plug into our switch on the LAN

we do not have an management interface setup.

My questions is does the IPS ip need to be on the same network as my inside interface and also what do i set my gateway to would it be 192.168.35.254? this is my first time so not had any experience with this before

any help will be greatly appreciated.

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

You don't need to route

You don't need to route through the management interface, the IPS sits inline and traffic is 'diverted' from your outside interface through the IPS (for inspection) to your inside interface.

This doc goes into a more detailed explanation (including configuration): http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/modules_ips.html#wp1087140

If you do need further assistance with your config though just ask.

10 REPLIES
New Member

Hi James, 5512-X?In order to

Hi James,

 

5512-X?

In order to manage the IPS module in your ASA from ASDM (you can manage it using "session ips" from the cli) you will need to enable the management interface on the ASA and use this address as the gateway for your IPS module, so they will need to be on the same IP subnet.
 

New Member

I currently do not use the

I currently do not use the management interface i access the ADSM from the LAN on the 192.168.35.0subnet. Does this mean i have to have a managment interface? will i have to plug this into my LAN Switch? I'm aware the Management interface IP cannot be on the same subnet as my LAN as it bring up an error over overlapping subnets?

Sorry for the stupid questions.

Thanks

New Member

It's no problem mate :)There

It's no problem mate :)

There are slight differences between some of the newer model ASA's (x series) that mean you can only use the management interface as your gateway.

If you'r not able to ping your gateway (inside interface) from your IPS when using that as your gateway then you'll have to configure your management interface and use this as your default gateway instead.

Let me know if you need any further info.

New Member

Here in my interface config

Here in my interface config on the ASA

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 pppoe client vpdn group WRG
 ip address pppoe setroute
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.999
 vlan 999
 nameif inside
 security-level 100
 ip address 192.168.25.254 255.255.255.0

 

I'm unable to ping 192.168.35.254 from within the IPS. please see ips basic config

 Version 7.1(4)
! Host:
!     Realm Keys          key1.0
! Signature Definition:
!     Signature Update    S615.0   2012-01-03
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 192.168.25.250/24,192.168.25.254
host-name test
telnet-option disabled
access-list 0.0.0.0/0
access-list 192.168.25.0/24
dns-primary-server enabled
address 8.8.8.8
exit
dns-secondary-server enabled
address 4.4.4.4

 

Does that mean i need to setup my management interface with an actual ip? then will i need to plug that into my local lan switch? All traffic in the lan is pointed for 192.168.35.254 to route out to the internet i'm just unsre to how this management interface works?

 

Hope it makes sense

 

Thanks

 

New Member

sorry that should have said

sorry that should have said unable to ping 192.168.25.254****

New Member

Yeah, it looks as though you

Yeah, it looks as though you'll need to use your management interface (on the same subnet) and keep it connected. Here is my config for the same arrangement:

IPS:
service host
network-settings
host-ip 10.201.29.10/29,10.201.29.9
host-name ssc-wlan-fw-ips-1
telnet-option disabled
access-list 0.0.0.0/0

ASA:
interface Management0/0
 description Management interface for IPS module
 nameif management
 security-level 100
 ip address 10.201.29.9 255.255.255.248
 management-only

Keep posting if you need further help :)

 

New Member

ok think i understand however

ok think i understand however traffic from my lan traffic goes out through the lan interface of 192.168.35.254 would i now have to point the LAN traffic to the Management interface or would is still go via the 'inside' interface?

How does the traffic route via ips from the internet??

 

INTERNET>OUTSIDE INTERFACE>MANAGEMENT>INSIDE>LAN??

 

so i will have the following setup

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 pppoe client vpdn group WRG
 ip address pppoe setroute
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.999
 vlan 999
 nameif inside
 security-level 100
 ip address 192.168.25.254 255.255.255.0

 

Interface management0/0

ip address 192.168.35.254 255.255.255.0

IPS IP will be 192.168.35.254 255.255.255.0

Thanks again. Great help so far :)

New Member

You don't need to route

You don't need to route through the management interface, the IPS sits inline and traffic is 'diverted' from your outside interface through the IPS (for inspection) to your inside interface.

This doc goes into a more detailed explanation (including configuration): http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/modules_ips.html#wp1087140

If you do need further assistance with your config though just ask.

New Member

I will check it out sometime

I will check it out sometime next tomorrow/next week

If i have any problems i will let you know.

Thanks for taking time out to help me much appreciated

New Member

sorry 1 more thing i forgot

sorry 1 more thing i forgot to ask. As my management interface 192.168.35.254  will be on a different subnet to my lan, when i plug it into my LAN switch which is on the 192.168.25.0 network how will it communcate with my LAN? Do i need to plug it into my LAN switch?

 

Thanks

282
Views
0
Helpful
10
Replies