IPS 4200 sensors behind Cisco PIX

turbo_engine26 · ‎11-26-2006

Hello all,

I've two Cisco PIX firewalls configured as failover pair in active/passive fashion. I want to deploy two IPS 4235 inline mode sensors behind those firewalls.

What would be the connectivity looks like?!

I know that there is a layer 2 switch must exists to terminate all the devices legs on it. what else should be performed in addition configuring the inline pair?

Please advise.

Thx

Turbo

a.kiprawih · ‎11-26-2006

It depends. It will be easier if you have dedicated hub/switch to use, or a switch with enought ports to host L2 Vlans for Outside and Inside segments to be protected by IPS.

With dedicated hub/switch:

Router <-> IPS Pair#1 <-> outside:PIX (Active & Standby):inside <-> IPS Pair#2 <-> internal network

IPS Pair#1: port 1 to Router, port2 to hub

IPS Pair#2: port 3 to Router, port4 to hub

For single switch to host both IPS inline pairs:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddcd38e

However, eventhough you have redundant firewall, bear in mind that using single switch can be a single point of failure.

HTH

AK

a.kiprawih · ‎11-26-2006

BTW, the 2xIPS in the diagram is only a logical separation based on inline pair for Outside and Inside firewall segments. Physically, it's still a single box.

Fernando_Meza · ‎11-26-2006

Hi ..

would not be better to use the second IPS as redundant by connecting it between the Core and the Inside interface of the Firewalls instead of using one IPS on the outside to monitor packets which could be dropped by the ASAs anyway ..

just a thought !!!

a.kiprawih · ‎11-27-2006

Agree, it's far better option (I overlooked at the two ipsboxes).