ASA 5500-x built-in IPS

Hi all; 


I have an ASA 5515-x and an IPS module license installed on that. I planned to connect to the IPS like what explained under the "First Scenario" title at this link (http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113690-ips-config-mod-00.html#scenario1) . 


I mean I will connect the management interface of the ASA to the same switch as inside interface is connected to. 
according to this text taken from the Cisco Documentation: 

"You must remove the ASA-configured name for Management 0/0; if it is configured on the ASA, then the IPS address must be on the same network as the ASA, and that excludes any networks already configured on other ASA interfaces. If the name is not configured, then the IPS address can be on any network, for example, the ASA inside network."

the above text has mentioned that we can assign IP addresses from the same network to the "inside" and "management" interfaces on the ASA if we have removed the "nameif" from the management interface. so I removed the nameif from the management interface and want to assign an IP address to the management interface from the class that is used on the inside interface. but ASA did not accept the IP and said that we cannot assign IP addresses to two ASA interface from the same L3 network. did I take the wrong route or what?

Comments

  • Read more carrefully the document and the configuration example; you need to remove all configurations from the management interface and configure an IP address on the IPS (not the ASA) which is in the same subnet with the "inside" interface of the ASA, or with any other interface of the ASA you want. Which networking device allows you to have 2 Ethernet links in the same subnet and the same VRF/context? None, because of the broadcast domains.

  • timaztimaz ✭✭

    Hi Cristian.

     

    I would like to thank you for your reply. following your reply, if I assign an IP address to my IPS through IPS CLI (from the same subnet as my "inside" interface), then what about IP address of the ASA management interface. isn't ASA going to be used as IPS default gateway? so if yes, then we need to assign IP to the ASA management interface too that needs to be from the same subnet as IPS. 

    If I understood well, the inside interface of the ASA will act as mgmt gatway for the IPS. this is a gateway that will connect IPS to the internet. am I right?

  • I asked you to read the document in details, it's all there, your IPS default gateway will be the "inside" interface, or "outside" or whatever you want; it will be the ASA interface which has an IP in the sam subnet as IPS.

Sign In or Register to comment.