IPS Interfaces - ASA AIP module

 Each IPS has three interfaces:

  • command and control(for managing IPS)
  • sensing(analysing traffic)
  • TCP reset(for sending TCP reset)

IPS module for ASA firewalls has some limitation in comparison to IPS sensor like 4260 or 4270

  • You cannot designate a separate port for TCP reset
  • You cannot use command and control interface for sensing or TCP alternative
  • There is only one sensing interface for AIP SSM
  • AIP modules do not support inliine vlan pairs
  • AIP modules do no support Vlan groups
  • AIP 5500-X and 5585-X do not support bypass

 

CONFIGURATION


(config)# service interface

(config-int)# cdp-mode forward-cdp-packets

Allow to forward cdp message(if ASA is working as a Internet firewall choose -

"drop-cdp-packets" which is default settings.

(config-int)# bypass-mode off


There are 3 option for bypass-mode:

off - all traffic is  inspected and in case of IPS sensor failure traffic will not be forwared

on - all traffic is not inspected and in case of IPS sensor failure traffic will be forwared

auto(default) - all traffic is inspected and in case of IPS sensor failure traffic will be forwared

(config-int)# physical-interfaces gigabitEthernet0/1

(config-int-phy)# description ASA2-IPS-sensor

(config-int-phy)# exit

(config-int)# interface-notifications

 (config-int-int)# idle-interface-delay 15

time in secs interface must be idle to send notification(default 30 secs)

(config-int-int)# missed-percentage-threshold 5

% of flow missed during specified interval before notification will be sent(default is 0%)

(config-int-int)# notification-interval 30

Interval for missed packet percentage(default is 30 secs)

(config-int-int)# exit

(config-int)# exit

Apply Changes?[yes]: yes

 

 INTERFACE CONFIGURATION (DISPLAY)

 

Sensor1# show interfaces
Interface Statistics
Total Packets Received = 46395236
Total Bytes Received = 38221595790
Missed Packet Percentage = 0
Current Bypass Mode = Auto_off
MAC statistics from interface GigabitEthernet0/0
Interface function = Command-control interface
Description =
Media Type = TX
Default Vlan = 0
Link Status = Up
Link Speed = Auto_100
Link Duplex = Auto_Full
Total Packets Received = 227992
Total Bytes Received = 41801991
Total Multicast Packets Received = 0
Total Receive Errors = 0
Total Receive FIFO Overruns = 0
Total Packets Transmitted = 67372
Total Bytes Transmitted = 26828374
Total Transmit Errors = 0
Total Transmit FIFO Overruns = 0

MAC statistics from interface GigabitEthernet0/1
Interface function = Sensing interface
Description = ASA2-IPS-sensor
Media Type = backplane
Default Vlan = 0
Inline Mode = Unpaired
Pair Status = N/A
Hardware Bypass Capable = No
Hardware Bypass Paired = N/A
Link Status = Up
Admin Enabled Status = Enabled
Link Speed = Auto_1000
Link Duplex = Auto_Full
Missed Packet Percentage = 0
Total Packets Received = 46395237
Total Bytes Received = 38221595872
Total Multicast Packets Received = 0
Total Broadcast Packets Received = 0
Total Jumbo Packets Received = 0
Total Undersize Packets Received = 0
Total Receive Errors = 0
Total Receive FIFO Overruns = 0
Total Packets Transmitted = 46395198
Total Bytes Transmitted = 38221664924
Total Multicast Packets Transmitted = 0
Total Broadcast Packets Transmitted = 0
Total Jumbo Packets Transmitted = 0
Total Undersize Packets Transmitted = 0
Total Transmit Errors = 0
Total Transmit FIFO Overruns = 0

 

 

Sensor1# show interfaces brief
CC Interface Sensing State Link Inline Mode Pair Status
* GigabitEthernet0/0 Disabled Up
GigabitEthernet0/1 Enabled Up Unpaired N/A

dzbanek 2013-03-02

 

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.