[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

ASA 5520 / AIP SSM-10 Configuration

Posted on 2011-03-10
5
Medium Priority
?
1,478 Views
Last Modified: 2013-11-29
Can the ASA 5520 with the AIP SSM-10 operate as an independent IDS?

The "Policy Office" wants the firewall and the IDS separate. I've reviewed the documentation, and it appears that all AIP SSM-10 only operates with a firewall policy directing traffic to it... Hence my problem, I have an ASA 5520 running as an independent firewall.

My logic: SPAN a port on a switch and plug it directly into the AIP SSM-10... Launch the basic setup - I've attempted this via the CLI and the ADSM...

Thx in advance....
0
Comment
Question by:kdmiller220
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 2000 total points
ID: 35097794
You can configure the ASA to pass all traffic, which is obviously not the way it's intended to work.  The "firewall policy" you're referring to that directs traffic to the IDS is only there to do that redirection; it has nothing to do with the firewall aspects of the ASA (blocking inbound traffic from the untrusted side, maintaining the state of outbound connections, etc.).  So although I've never seen this done, there doesn't really seem to be any reason you couldn't have the ASA be wide open to traffic passing through, but still direct some traffic over to the IDS module for inspection.  Keep in mind there are some aspects of the ASA configuration you will have to deal with, such as NAT and routing.
0
 

Author Comment

by:kdmiller220
ID: 35098998
Thank you - I just wanted to make SURE I was was on the right path.... Thx again!!!
0
 

Author Comment

by:kdmiller220
ID: 35101560
There's no NAT, so I would assume a default route would suffice ... I'm able to ping the ASA ip (in), but not out.... I believe that my policy configs are intact - yet I see no evidence that the IDS module is logging any traffic (in both inline and promiscuous mode) in my lab via the IDM (vs0 is assigned)????





0
 
LVL 18

Expert Comment

by:jmeggers
ID: 35102722
Are you able to pass traffic through the ASA at all?  If you're not concerned about doing any firewalling, then I would be inclined to make both inside and outside equal security levels and permit same-security-level inter-interface (or whatever the correct syntax is). And yes, you should need a default route on the outside, and make sure the inside subnets are known by devices on the outside of the ASA.
0
 

Author Comment

by:kdmiller220
ID: 35138298
I made the security level 0 - with a d-route... Now I'm no FW guru, but am I to assume the I have to 2 of the ASA interfaces vice one - traffic can't flow bi-directionally???

Going to test this now....(light bulb)

hostname xxx-ids-1
enable password xxxxxxxxxx encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 nameif xxx-IN
 security-level 0
 ip address 10.1.1.254 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd xxxxxxxxxx encrypted
ftp mode passive
access-list IPS extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu xxx-IN 1500
no failover
no asdm history enable
arp timeout 14400
route xxx-IN 0.0.0.0 0.0.0.0 10.1.1.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map xxx-CLASS-MAP
 match access-list IPS
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
 class xxx-CLASS-MAP
  ips promiscuous fail-open
!
service-policy global_policy global

0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
How does someone stay on the right and legal side of the hacking world?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question