Wednesday, December 7, 2011

Updated ASA/IPS Configuration

I wanted to do another config guide for this considering the design of my LAN has changed and the ASA version I am running is 8.4. The old ASA/AIP config post can be found here

On the ASA:

• The inside interface is going to be used to communicate with the IPS so here is the setup:
!
interface Vlan1
nameif inside
security-level 100
allow-ssc-mgmt <-- allows you to manage the ASA from this network
ip address x.x.200.1 255.255.255.0

• For the purposes of management I have defined the IPS as three different "objects" (https, SNMP and SSH):

object network IPS-443
host x.x.x.x
!
object network IPS-SNMP
host x.x.x.x
!
object network IPS-ssh
host x.x.x.x

• I also added access-lists to allow these through:
!
access-list outside_access_in extended permit tcp any object IPS-443 eq https
access-list outside_access_in extended permit udp any object IPS-SNMP eq snmp
access-list outside_access_in extended permit tcp any object IPS-ssh eq ssh
!

• Since the ASA is now on the inside of the network and the outside interface leads to my internal network I have to NAT things:
nat (outside,inside) source static any any destination static IPS-443 IPS-443
nat (outside,inside) source static any any destination static IPS-SNMP IPS-SNMP
nat (outside,inside) source static any any destination static IPS-ssh IPS-ssh

• A slightly different version of the class map from the original ASA/IPS config guide, now with a match any:
!
class-map ips_class
match any
!
policy-map ips_policy
class ips_class
ips inline fail-open
!
service-policy ips_policy interface outside

• Now what I thought was missing from the last post was the configuration from the IPS, so here it is:

service host
network-settings
host-ip x.x.200.2/24,x.x.200.1 < --- thats the ASA's inside network
access-list 0.0.0.0/0
!
ntp-server x.x.100.1 <-- router on the LAN acting as NTP server
summertime-option recurring
summertime-zone-name GMT-08:00
!
auto-upgrade
cisco-server enabled
schedule-option calendar-schedule
times-of-day 14:09:33
days-of-week sunday
days-of-week monday
days-of-week tuesday
days-of-week wednesday
days-of-week thursday
days-of-week friday
days-of-week saturday
!
service ssh-known-hosts
rsa1-keys x.x.x.x
length 2048
!
service web-server
!
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/0 <-- this is an ASA 5505 so this is not a physical interface.

I hope that helps. I'll include a new drawing to illustrate this at some point.
Posted by at 3 comments:
Subscribe to: Posts (Atom)