kdmiller220
asked on
ASA 5520 / AIP SSM-10 Configuration
Can the ASA 5520 with the AIP SSM-10 operate as an independent IDS?
The "Policy Office" wants the firewall and the IDS separate. I've reviewed the documentation, and it appears that all AIP SSM-10 only operates with a firewall policy directing traffic to it... Hence my problem, I have an ASA 5520 running as an independent firewall.
My logic: SPAN a port on a switch and plug it directly into the AIP SSM-10... Launch the basic setup - I've attempted this via the CLI and the ADSM...
Thx in advance....
The "Policy Office" wants the firewall and the IDS separate. I've reviewed the documentation, and it appears that all AIP SSM-10 only operates with a firewall policy directing traffic to it... Hence my problem, I have an ASA 5520 running as an independent firewall.
My logic: SPAN a port on a switch and plug it directly into the AIP SSM-10... Launch the basic setup - I've attempted this via the CLI and the ADSM...
Thx in advance....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There's no NAT, so I would assume a default route would suffice ... I'm able to ping the ASA ip (in), but not out.... I believe that my policy configs are intact - yet I see no evidence that the IDS module is logging any traffic (in both inline and promiscuous mode) in my lab via the IDM (vs0 is assigned)????
Are you able to pass traffic through the ASA at all? If you're not concerned about doing any firewalling, then I would be inclined to make both inside and outside equal security levels and permit same-security-level inter-interface (or whatever the correct syntax is). And yes, you should need a default route on the outside, and make sure the inside subnets are known by devices on the outside of the ASA.
ASKER
I made the security level 0 - with a d-route... Now I'm no FW guru, but am I to assume the I have to 2 of the ASA interfaces vice one - traffic can't flow bi-directionally???
Going to test this now....(light bulb)
hostname xxx-ids-1
enable password xxxxxxxxxx encrypted
names
dns-guard
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
nameif xxx-IN
security-level 0
ip address 10.1.1.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd xxxxxxxxxx encrypted
ftp mode passive
access-list IPS extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu xxx-IN 1500
no failover
no asdm history enable
arp timeout 14400
route xxx-IN 0.0.0.0 0.0.0.0 10.1.1.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map xxx-CLASS-MAP
match access-list IPS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class xxx-CLASS-MAP
ips promiscuous fail-open
!
service-policy global_policy global
Going to test this now....(light bulb)
hostname xxx-ids-1
enable password xxxxxxxxxx encrypted
names
dns-guard
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
nameif xxx-IN
security-level 0
ip address 10.1.1.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd xxxxxxxxxx encrypted
ftp mode passive
access-list IPS extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu xxx-IN 1500
no failover
no asdm history enable
arp timeout 14400
route xxx-IN 0.0.0.0 0.0.0.0 10.1.1.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map xxx-CLASS-MAP
match access-list IPS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class xxx-CLASS-MAP
ips promiscuous fail-open
!
service-policy global_policy global
ASKER