Solved: Re: IDSM2 with FWSM with contexts

s.mills · ‎07-26-2006

Hiya,

I'm not a Security guy so keep it simple!

If deploying a FWSM with multiple contexts, and you have an IDSM-2 installed:

Does the IDSM be split into contexts to match the FWSM contexts

If not, does it monitor the backplane traffic and it does not matter or care about the multiple contexts.

Fernando_Meza · ‎08-01-2006

Hi .. by looking at your diagram .. I suggest to try placing the IDSM-2 so that traffic is inspected after the firewall policies have been checked otherwise you might end up inspecting traffic that will be blocked by the firewall anyway. You also need to create what is called boundary VLANs so that your IDSM bridges the traffic between the inline VLANs... Confused ..?

It gets a bit "blue" when you try inspecting inline on a module. For example lets say you have Context1 with Interfaces VLAN10 (outside) and VLAN20 (inside). You would have to create another VLAN30 (boundary VLAN). You then need to allocate the devices ONLY ( not the ASA's interface ) from VLAN20 to VLAN30 ( Only change VLAN membership and not the IP scheme ). Next on one of the IDSM-2 sensing ports you need to create a VLAN inline pair ( it uses subinterfaces ) which bridges VLAN20 <-> VLAN30. In that way traffic to/from your inside devices will travers the IDSM-2 before reaching its destination

I suggest you to create a test context, allocate the 2 VLANS, Create the VLAN inline pair on the IDSM-2 and test.. Once you are happy you can replicate the same configuration for the production contexts.

Below a brief example what you need to do for each context

sensor# configure terminal

sensor(config)# service interface

sensor(config-int)# physical-interfaces GigabitEthernet0/2

sensor(config-int-phy)# admin-state enabled

sensor(config-int-phy)# description INT1

sensor(config-int-phy)# subinterface-type inline-vlan-pair

sensor(config-int-phy-inl)# subinterface 1

sensor(config-int-phy-inl-sub)# vlan1 52

sensor(config-int-phy-inl-sub)# vlan2 53

sensor(config-int-phy-inl-sub)# description pairs vlans 52 and 53

sensor(config-int-phy-inl-sub)# show settings

subinterface-number: 1

-----------------------------------------------

description: VLANpair1 default:

vlan1: 52

vlan2: 53

-----------------------------------------------

sensor(config-int-phy-inl-sub)# exit

sensor(config-int-phy-inl)# exit

sensor(config-int-phy)# exit

sensor(config-int)# exit

Apply Changes:?[yes]:

I hope it helps ... please rate it if it does !!!

View solution in original post

drolemc · ‎08-01-2006

Need to create separate vlans for IDSM to monitor multiple context of FWSM.

Fernando_Meza · ‎08-01-2006

Hi .. by looking at your diagram .. I suggest to try placing the IDSM-2 so that traffic is inspected after the firewall policies have been checked otherwise you might end up inspecting traffic that will be blocked by the firewall anyway. You also need to create what is called boundary VLANs so that your IDSM bridges the traffic between the inline VLANs... Confused ..?

It gets a bit "blue" when you try inspecting inline on a module. For example lets say you have Context1 with Interfaces VLAN10 (outside) and VLAN20 (inside). You would have to create another VLAN30 (boundary VLAN). You then need to allocate the devices ONLY ( not the ASA's interface ) from VLAN20 to VLAN30 ( Only change VLAN membership and not the IP scheme ). Next on one of the IDSM-2 sensing ports you need to create a VLAN inline pair ( it uses subinterfaces ) which bridges VLAN20 <-> VLAN30. In that way traffic to/from your inside devices will travers the IDSM-2 before reaching its destination

I suggest you to create a test context, allocate the 2 VLANS, Create the VLAN inline pair on the IDSM-2 and test.. Once you are happy you can replicate the same configuration for the production contexts.

Below a brief example what you need to do for each context

sensor# configure terminal

sensor(config)# service interface

sensor(config-int)# physical-interfaces GigabitEthernet0/2

sensor(config-int-phy)# admin-state enabled

sensor(config-int-phy)# description INT1

sensor(config-int-phy)# subinterface-type inline-vlan-pair

sensor(config-int-phy-inl)# subinterface 1

sensor(config-int-phy-inl-sub)# vlan1 52

sensor(config-int-phy-inl-sub)# vlan2 53

sensor(config-int-phy-inl-sub)# description pairs vlans 52 and 53

sensor(config-int-phy-inl-sub)# show settings

subinterface-number: 1

-----------------------------------------------

description: VLANpair1 default:

vlan1: 52

vlan2: 53

-----------------------------------------------

sensor(config-int-phy-inl-sub)# exit

sensor(config-int-phy-inl)# exit

sensor(config-int-phy)# exit

sensor(config-int)# exit

Apply Changes:?[yes]:

I hope it helps ... please rate it if it does !!!

s.mills · ‎08-02-2006

Thanks Ferndo,

Excellent feedback. Just what I required.

Best Regards

Steve

chilinh · ‎10-12-2006

Hi Fernando,

So you mean, for IDSM2+Cat6500 scenario, we can only use "Inline VLAN Pairs Mode" as described in http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguid

e/cliinter.htm#wp1046883, right?

"Inline Interface Mode" is not an option.

For "Inline VLAN Pairs Mode", the document suggests the VLAN pairs 52&53 should be configured in Cat6K as following:

intrusion-detection module 13 data-port 1 access-vlan 52

intrusion-detection module 13 data-port 2 access-vlan 53

But only one sensing interface, i.e. gi0/7, is applied. Should we set it as a trunk interface to allow only VLAN 52&53?

One last question is as to the boundry VLAN without changing the IP scheme:

Does it mean that VLAN 52&53(in one Cat6K) belong to one IP subnet?