I wanted to do another config guide for this considering the design of my LAN has changed and the ASA version I am running is 8.4. The old ASA/AIP config post can be found here
On the ASA:
• The inside interface is going to be used to communicate with the IPS so here is the setup:
!
interface Vlan1
nameif inside
security-level 100
allow-ssc-mgmt <-- allows you to manage the ASA from this network
ip address x.x.200.1 255.255.255.0
• For the purposes of management I have defined the IPS as three different "objects" (https, SNMP and SSH):
object network IPS-443
host x.x.x.x
!
object network IPS-SNMP
host x.x.x.x
!
object network IPS-ssh
host x.x.x.x
• I also added access-lists to allow these through:
!
access-list outside_access_in extended permit tcp any object IPS-443 eq https
access-list outside_access_in extended permit udp any object IPS-SNMP eq snmp
access-list outside_access_in extended permit tcp any object IPS-ssh eq ssh
!
• Since the ASA is now on the inside of the network and the outside interface leads to my internal network I have to NAT things:
nat (outside,inside) source static any any destination static IPS-443 IPS-443
nat (outside,inside) source static any any destination static IPS-SNMP IPS-SNMP
nat (outside,inside) source static any any destination static IPS-ssh IPS-ssh
• A slightly different version of the class map from the original ASA/IPS config guide, now with a match any:
!
class-map ips_class
match any
!
policy-map ips_policy
class ips_class
ips inline fail-open
!
service-policy ips_policy interface outside
• Now what I thought was missing from the last post was the configuration from the IPS, so here it is:
service host
network-settings
host-ip x.x.200.2/24,x.x.200.1 < --- thats the ASA's inside network
access-list 0.0.0.0/0
!
ntp-server x.x.100.1 <-- router on the LAN acting as NTP server
summertime-option recurring
summertime-zone-name GMT-08:00
!
auto-upgrade
cisco-server enabled
schedule-option calendar-schedule
times-of-day 14:09:33
days-of-week sunday
days-of-week monday
days-of-week tuesday
days-of-week wednesday
days-of-week thursday
days-of-week friday
days-of-week saturday
!
service ssh-known-hosts
rsa1-keys x.x.x.x
length 2048
!
service web-server
!
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/0 <-- this is an ASA 5505 so this is not a physical interface.
I hope that helps. I'll include a new drawing to illustrate this at some point.
About Me
- David Walsh
- I've been working with computers and networking gear for longer than I can remember. I have worked for fruit companies, search engines and more recently with state and local governments.
From the desk of
3 comments:
I'm a bit new to the IPS modules in the ASAs. The documentation isn't very clear either. In my mind it makes sense but I wanted to clarify. In order for the IPS module to actually analyze traffic you need to assign the GigE0/0 interface to the virtual-sensor vs0, correct? That is how the IPS module gets the traffic analyzed, is by sending it to the virtual sensor?
I ask because I'm looking a previous configuration of an AIP and the virtual-sensor is not assigned. This means it's not doing anything with the traffic?
In order for the IPS to analyze traffic you need to have a policy-map defined on the ASA and you need to apply that as a service policy to an interface (in this case the outside). When you look at the IPS it should show the service analysis-engine (virtual-sensor or vs0) is being fed traffic from some interface. I'm not sure what it looked like in previous versions of code but in 8.4 it shows the Gig 0/0.
Hope that helps.
Ok yeah, that makes sense. Thanks for your help on that. So it seems the ASA will allow you to assign the virtual-sensor from ASDM but you also have to assign the interface to the virtual-sensor inside of the IPS configuration.
Thanks again.
Post a Comment