I want to configure a new asa 5510 with a SSM module to carry out IPS/IDS across a trunk.
At present, ssl traffic comes in from the internet through an external firewall, down through a web switch to a CSS where the ssl terminates. The traffic is then load balanced to a number of webservers, all of which are connected to the same web switch. this is probably better explained in the attached diagram.
Ideally I would like to place the asa (with ssm module) between the web switch and the css (on the trunk link in the diagram) and have it carry out ids/ips on two vlans (carrying the unencrypted traffic) and not carry out ids on the encrypted traffic, although if needs be i can just tune out alerts for the encrypted traffic.
Is it possible to do this with the asa in transparent mode, using Inline VLAN pairs?
Inline VLAN pairs are not supported on AIP SSMs if i am not mistaken. But if you would like to monitor only 2 VLANs, you can configure the module in inline mode and use an ACL to specify what traffic to send to the IPS from the ASA. Here is a config guide:
Many thanks for your replies - Unfortunately, I think you are right that inline vlan pairs are not supported on the SSM.
One thing I am still not clear on from the documents you linked to is whether a topology like this:
Server ----> ASA(Transparent mode with SSM) ----> CSS
will allow IPS to work correctly, when the Server and CSS are both on the same Vlan, and when the links from the ASA are both trunks?
I would have expected to use inline vlan pairs in this scenario, but that's not an option when the hardware is a SSM
I know that the ASA could be put in routed mode, and that this should work once the IP addressing of the Server or CSS was changed, but I'm curious if it can be achieved with the asa in transparent mode.
Well with inline vlan pairs, the IPS will understand VLAN tagging on trunk links and will be able to change that as per the configuration. But in our case, if we use the IPS module on the trunk link (w/o the inline vlan pair as it is not supported) i do not see any reaon why it will not work.
It should just process the packet without bothering about the VLAN tag in the header. Also, i don't think the transparent firewall is going to make any difference. It should work just fine. I guess the only way to test it will be to actually configure it. Let me know how it goes.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :