Cisco ASA IPS Module
Cisco ASA IPS Module
Cisco ASA IPS Module
The following figure shows the traffic flow when running the IPS module in inline mode. In this example, the IPS module automatically blocks traffic that it identified as an attack. All other traffic is forwarded through the ASA.
outside
Diverted Traffic
Block IPS inspection
IPS
ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Physical Module)
The IPS module includes a separate management interface from the ASA.
SFP1
SFP0
MGMT
USB
R PW
BO
OT
AL
AR
T AC
VP
PS
0 PS
HD
D1
HD
D0
T AC
VP
PS
PS
HD
D1
HD
D0
334656
SSP
If you have an inside router If you have an inside router, you can route between the management network, which can include both the ASA Management 0/0 and IPS Management 1/0 interfaces, and the ASA inside network. Be sure to also add a route on the ASA to reach the Management network through the inside router.
Proxy or DNS Server (for example) ASA gateway for Management ASA Router IPS Default Gateway Management Inside IPS ASA Management 0/0 IPS Management 1/0 Management PC
334658
Outside
Internet
If you do not have an inside router If you have only one inside network, then you cannot also have a separate management network, which would require an inside router to route between the networks. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. Because the IPS module is a separate device from the ASA, you can configure the IPS Management 1/0 address to be on the same network as the inside interface.
IPS Default Gateway Management PC Layer 2 Switch Inside IPS
334660
IPS Management 1/0 Proxy or DNS Server ASA Management 0/0 not used (for example)
ASA 5545-X
IPS Management 0/0 Default IP: 192.168.1.2 ASA Management 0/0 Default IP: 192.168.1.1
If you have an inside router If you have an inside router, you can route between the Management 0/0 network, which includes both the ASA and IPS management IP addresses, and the inside network. Be sure to also add a route on the ASA to reach the Management network through the inside router.
Proxy or DNS Server (for example) ASA gateway for Management ASA Router IPS Default Gateway Management Management 0/0 Management PC
334667
Inside IPS
Outside
Internet
334665
If you do not have an inside router If you have only one inside network, then you cannot also have a separate management network. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. If you remove the ASA-configured name from the Management 0/0 interface, you can still configure the IPS IP address for that interface. Because the IPS module is essentially a separate device from the ASA, you can configure the IPS management address to be on the same network as the inside interface.
IPS Default Gateway Management PC Layer 2 Switch Inside IPS Proxy or DNS Server (for example)
334669
Console
Note
You must remove the ASA-configured name for Management 0/0; if it is configured on the ASA, then the IPS address must be on the same network as the ASA, and that excludes any networks already configured on other ASA interfaces. If the name is not configured, then the IPS address can be on any network, for example, the ASA inside network.
ASA 5505
The ASA 5505 does not have a dedicated management interface. You must use an ASA VLAN to access an internal management IP address over the backplane. Connect the management PC to one of the following ports: Ethernet 0/1 through 0/7, which are assigned to VLAN 1.
ASA 5505
Ports 1 7 VLAN 1 Default ASA IP: 192.168.1.1/IPS IP: 192.168.1.2 Default IPS Gateway: 192.168.1.1 (ASA)
Security Services Card Slot
Cisco ASA SSC-05 STATUS
POWER 48VDC
2
RESET
Note
Step 3
In the Network Settings area, configure the following: network as the default ASA management IP address. See the Connecting the ASA IPS Management Interface section on page 3 to understand the requirements for your network.
Subnet MaskThe subnet mask for the management IP address. GatewayThe IP address of the next hop router. See the Connecting the ASA IPS
Management Interface section on page 3 to understand the requirements for your network. The default setting of the ASA management IP address will not work.
HTTP Proxy Server(Optional) The HTTP proxy server address. You can use a proxy server
to download global correlation updates and other information instead of downloading over the Internet.
HTTP Proxy Port(Optional) The HTTP proxy server port. DNS Primary(Optional) The primary DNS server address. You need a DNS server to
communicate with the update server over the Internet. Step 4 In the Management Access List area, enter the following: a. Enter the IP address for the management host network. b. Choose the subnet mask from the drop-down list. c. Click Add to add these settings to the Allowed Hosts/Networks list.
Step 5
In the Cisco Account Password area, set the password for the username cisco and confirm it. The username cisco and this password are used for Telnet sessions from hosts specified by the management access list and when accessing the IPS module from ASDM (Configuration > IPS). By default, the password is cisco. In the Network Participation area, for participating in SensorBase data sharing, click Full, Partial, or Off. Click Next to advance through the remaining screens, and complete the wizard.
Step 6 Step 7
ASA 5505 Use ASDM to configure basic IPS network configuration. These settings are saved to the IPS configuration, not the ASA configuration.
Step 1 Step 2 Choose Configuration > Device Setup > SSC Setup. In the Management Interface area, set the following: a. Choose the Interface VLAN from the drop-down list. This setting lets you manage the ASA IPS module using this VLAN. By default, the management VLAN is VLAN 1 (the inside interface). b. Enter the IPS management IP address. Make sure this address is on the same subnet as the ASA VLAN IP address. For example, if you assigned 10.1.1.1 to the VLAN for the ASA, then assign another address on that network, such as 10.1.1.2, for the IPS management address. By default, the address is 192.168.1.2. c. Choose the subnet mask from the drop-down list. d. Enter the default gateway IP address. Set the gateway to be the ASA IP address for the management VLAN. By default, this IP address is 192.168.1.1. Step 3 In the Management Access List area, enter the following: a. Enter the IP address for the management host network, typically the same network as the management IP address. b. Choose the subnet mask from the drop-down list. c. Click Add to add these settings to the Allowed Hosts/Networks list. Step 4 In the IPS Password area, do the following: a. Enter the current password. The default password is cisco. b. Enter the new password, and confirm the change. Step 5 Step 6 Click Apply to save the settings to the running configuration. To launch the IPS Startup Wizard, click the Configure the IPS SSC module link.
Step 4
To boot the IPS module software, enter the following command and then click Send:
sw-module module ips recover boot
Step 5
To check the progress of the image transfer and module restart process, enter the following command and then click Send:
show module ips details
The Status field in the output indicates the operational status of the module. A module operating normally shows a status of Up. While the ASA transfers an application image to the module, the Status field in the output reads Recover. When the ASA completes the image transfer and restarts the module, the newly transferred image is running.
10
Enter the IP address you set in Configuring Basic IPS Module Network Settings section on page 8, as well as the port; the default address and port is 192.168.1.2:443. Enter the username cisco and the password you set in Configuring Basic IPS Module Network Settings section on page 8; the default password is cisco. To save the login information on your local PC, check the Save IPS login information on local host check box. Click Continue. The Startup Wizard pane appears.
11
Step 6
Click Launch Startup Wizard. Complete the screens as prompted. For more information, see the IDM online help.
12
Choose Add > Add Service Policy Rule. The Add Service Policy Rule Wizard - Service Policy dialog box appears. Complete the Service Policy dialog box, and then the Traffic Classification Criteria dialog box as desired. See the ASDM online help for more information about these screens. Click Next to show the Add Service Policy Rule Wizard - Rule Actions dialog box.
13
Step 5
Step 6 Step 7
Check the Enable IPS for this traffic flow check box. In the Mode area, click Inline Mode or Promiscuous Mode. Inline mode places the IPS module directly in the traffic flow. No traffic that you identified for IPS inspection can continue through the ASA without first passing through, and being inspected by, the IPS module. Promiscuous mode sends a duplicate stream of traffic to the IPS module. This mode is less secure, but has little impact on traffic throughput. In the If IPS Card Fails area, click Permit traffic or Close traffic. The Close traffic option sets the ASA to block all traffic if the IPS module is unavailable. The Permit traffic option sets the ASA to allow all traffic through, uninspected, if the IPS module is unavailable. For information about the IPS Sensor Selection area, see the ASDM online help. Click OK and then Apply.
Step 8
Step 9
14
9 Where to Go Next
(Optional) Configure advanced IPS options, including virtual sensors. See the IDM online help or the documentation roadmap for your version: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_documentation_roadmaps_l ist.html (Optional) Configure virtual sensors on the ASA. See the online help or the IPS chapter in the configuration guide for your ASA version: http://www.cisco.com/go/asadocs
15
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) 2011-2012 Cisco Systems, Inc. All rights reserved.