Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Monitoring VLAN's on ASA IPS Module

Is it possible to trunk VLAN's over the the IPS module on the ASA so that traffic OTHER than the traffic normally passing through the ASA (from inside interface to outside interface) can be monitored?

In this scenario, the ASA is being used as a VPN concentrator. We know that we can monitior the traffic from remote VPN users as it passes through the ASA, but would also like to use the IPS to monitor traffic spanned or mirrored from another switch to the ASA.

What's the best way to accomplish that?

Thanks

4 REPLIES
Cisco Employee

Re: Monitoring VLAN's on ASA IPS Module

The IPS Module is only designed to monitor traffic flowing through the ASA. External devices are not able to pass traffic to the IPS Module for monitoring; the traffic must be passed live through the ASA, and then using policies within the ASA the traffic can be passed on the IPS Module for either promiscuous or inline monitoring.

So even though the IPS Module itself is capable of Promiscuous Monitoring; it is only Promiscuous Monitoring of traffic that is being passed live (InLine) through the ASA.

The ASA itself is not capable of Promiscuous monitoring.

The ASA is designed to only pass live traffic through the ASA, and has not been designed for receiving spanned or mirrored traffic.

Your only alternative would be to switch to multiple context mode (may require a license upgrade) and then create a second context. In that second context that ASA can be a router/firewall in the other network you want to monitor. (I assume you are using Routed Mode and Not Transparent Mode since you are using it as a VPN Concentrator).

A simple method may be to put that second context as a router between your existing network and the existing default gateway. The ASA would be given the existing IP address of the default gateway, and a new small subnet created between the ASA and the gateway. You would need to come up with a new subnet and place both the ASA and the gateway into that subnet.

All traffic from your internal network would then have to pass through the ASA to get to the main gateway. And in passing through the ASA it could then be monitored by the IPS Module.

If you were not using the ASA in Routed Mode already, then you you could alternatively used in the ASA in Transparent mode between the internal network and the default gateway. Then the gateway could have kept it's existing IP Address and there would be no need to create the new subnet.

The other alternative is to purchase a IPS Sensor Appliance. This is one advantage of the Appliance over the ASA IPS Module. The Appliance can be deployed in a Promiscuous Mode with repect to the network while the IPS Module's Promiscuous capability is limited to monitoring only what is already passing through the ASA.

New Member

Re: Monitoring VLAN's on ASA IPS Module

I concur with marcabal. I have 5510s and 5520s and i have set the SSM module to monior all of the interfaces on the ASAs but the internal networks on the inside are unmonitored unless they try to pass traffic through the firewall. I am going to ask for a separate IPS appliance to monitor the internal VLANs.

New Member

Re: Monitoring VLAN's on ASA IPS Module

Marco,

Thanks for the detailed response and possible alternatives.

Silver

Re: Monitoring VLAN's on ASA IPS Module

Nice try but seeing how the user is obviously interested in doing VPN on the box, multi context is out. See Unsupported Features:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080636f9b.html#wp1116132

284
Views
5
Helpful
4
Replies
CreatePlease login to create content