Pair of pix firewall configured as failover.The outside of the pix pair connected to the internet gateway router 3825.Inside of the pix pair connected to the core switch ports configured with the vlan.The configuration as below
Outside : 192.168.102.0
Active pix out: 192.168.102.2
Sec.Pix out : 192.168.102.3
3825 Gieth : 192.168.102.1
Inside PIX : 192.168.101.0
Active pix in : 192.168.101.2
Sec.PIX IN : 192.168.101.3
Core SVI in : 192.168.101.1 (Gway for the vlan)
Now i decided to connect the ips 4240 in inline ips mode by connecting ips's outside to the pix inside segment and ips
inside to the core switch 4510R vlan interface that has been priviously connected to the pix inside segment.
I have 5 vlans inside the core 4510R created with 172.16.16.0/24,172.16.17.0/24,172.16.18.0/24....
I already configured the ips 4240 with 2 infs pairs and assigned to the sensin engines.I need to know
the other steps to configure to allow the traffic inline thro the ips.Also i want to know the blocking concept and here
do we need to configure the blocking for the 5 inside networks?
Based on your scenario, pls have a look at the logical and physical connectivity of your devices.
This is due to the devices limitations, especially the switch where you only have 1 x Cat4510R available. Therefore, you need to host all connection to this switch to cater for IPS - Firewall connectivity.
This design is to allow you to filter traffic from Internet coming into your Internal network and vice-versa.
Basically, you need to have 2 x Layer 2 Vlans on your Cat4510R switch, for (example):
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...