Is it possible to trunk VLAN's over the the IPS module on the ASA so that traffic OTHER than the traffic normally passing through the ASA (from inside interface to outside interface) can be monitored?
In this scenario, the ASA is being used as a VPN concentrator. We know that we can monitior the traffic from remote VPN users as it passes through the ASA, but would also like to use the IPS to monitor traffic spanned or mirrored from another switch to the ASA.
The IPS Module is only designed to monitor traffic flowing through the ASA. External devices are not able to pass traffic to the IPS Module for monitoring; the traffic must be passed live through the ASA, and then using policies within the ASA the traffic can be passed on the IPS Module for either promiscuous or inline monitoring.
So even though the IPS Module itself is capable of Promiscuous Monitoring; it is only Promiscuous Monitoring of traffic that is being passed live (InLine) through the ASA.
The ASA itself is not capable of Promiscuous monitoring.
The ASA is designed to only pass live traffic through the ASA, and has not been designed for receiving spanned or mirrored traffic.
Your only alternative would be to switch to multiple context mode (may require a license upgrade) and then create a second context. In that second context that ASA can be a router/firewall in the other network you want to monitor. (I assume you are using Routed Mode and Not Transparent Mode since you are using it as a VPN Concentrator).
A simple method may be to put that second context as a router between your existing network and the existing default gateway. The ASA would be given the existing IP address of the default gateway, and a new small subnet created between the ASA and the gateway. You would need to come up with a new subnet and place both the ASA and the gateway into that subnet.
All traffic from your internal network would then have to pass through the ASA to get to the main gateway. And in passing through the ASA it could then be monitored by the IPS Module.
If you were not using the ASA in Routed Mode already, then you you could alternatively used in the ASA in Transparent mode between the internal network and the default gateway. Then the gateway could have kept it's existing IP Address and there would be no need to create the new subnet.
The other alternative is to purchase a IPS Sensor Appliance. This is one advantage of the Appliance over the ASA IPS Module. The Appliance can be deployed in a Promiscuous Mode with repect to the network while the IPS Module's Promiscuous capability is limited to monitoring only what is already passing through the ASA.
I concur with marcabal. I have 5510s and 5520s and i have set the SSM module to monior all of the interfaces on the ASAs but the internal networks on the inside are unmonitored unless they try to pass traffic through the firewall. I am going to ask for a separate IPS appliance to monitor the internal VLANs.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :