ASA IPS Module Configuration
In an effort to keep this a little organized, the next few sections will split up the major sections of configuration.
ASA IPS Module Network Configuration
The first thing to cover is how to configure the basic network settings of the IPS module, assuming that the defaults are not acceptable. The way to do this differs between the ASA 5505 and all of the other models.
For the ASA 5505, the first thing to set up is the management VLAN. The process to configure these settings is shown in Table 1:
Table 1: ASA 5505 IPS Module Basic Network Settings
1 |
Enter privileged EXEC mode. |
asa>enable |
2 |
Enter global configuration mode. |
asa#configure terminal |
3 |
Enter interface configuration mode (this is the current management VLAN interface). |
asa(config)#interface vlan vlan |
4 |
Disable IPS management. |
asa(config-if)#no allow-sec-mgmt |
5 |
Enter interface configuration mode (this is the new management VLAN interface). |
asa(config-if)#interface vlan vlan |
6 |
Enable IPS management. |
asa(config-if)#allow-sec-mgmt |
7 |
Exit Configuration mode. |
asa(config-if)#end |
8 |
Configure the ASA IPS module management IP address. Note: This IP address must be in the same subnet as the management VLAN interface configured in step 5. The gateway is the IP address of this same VLAN interface. |
asa#hw-module module 1 ip ip_address netmask gateway |
9 |
Configure the host(s) that are allowed to access the ASA IPS Module management address. |
asa#hw-module module 1 allow-ip ip-address netmask |
For all other ASA modules, the first step is to session into the ASA IPS module. For the models using a software IPS module, there are two different methods to do this, as shown in Table 2:
Table 2: ASA IPS Module Session Methods (ASA 5510+)
1 |
To access the ASA IPS module via telnet, for hardware IPS modules |
asa#session 1 |
|
OR |
|
1 |
To access the ASA IPS module via telnet, for software IPS modules. |
asa#session ips |
|
OR |
|
1 |
To access the ASA IPS module via console, for software IPS modules. |
asa#session ips console |
Virtual Sensor Configuration
When using the ASA IPS module with multiple contexts the use of virtual sensors can be very useful, this section will review the basic command that is used within each contexts system execution space. The name that is given to the virtual sensor within this section can then be used within the configuration shown in the next section.
To configure a virtual sensor, there is only a single command that is used within each context (see Table 3).
Table 3: Configuring ASA IPS Module Virtual Sensors
1 |
Enter privileged EXEC mode. |
asa>enable |
2 |
Enter global configuration mode. |
asa#configure terminal |
3 |
Enter the specific context execution space. |
asa(config)#context context-name |
4 |
Assign a virtual sensor to the context. |
asa(config-ctx)#allocate-ips sensor-name [mapped_name] [default] |
ASA IPS Module Policy Configuration
For the ASA to know which traffic to forward to the IPS module, there needs to be a policy configured. All the specific options for matching traffic will not be covered in this article, but the basic commands will be shown for clarity. Table 4 will review the steps needed to create an ASA IPS module policy.
Table 4: Configuring ASA IPS Module Policy
1 |
Enter privileged EXEC mode. |
asa>enable |
2 |
Enter global configuration mode. |
asa#configure terminal |
3 |
Create a class map. |
asa(config)#class-map class-name |
4 |
Specify a traffic match statement (or statements) Note: there are a number of different match statement possibilities. |
asa(config-cmap)#match parameter |
5 |
Create a policy map. |
asa(config-cmap)#policy-map policy-name |
6 |
Link the previously created class map with the policy. Note: Multiple class maps can be linked to the same policy map. |
asa(config-pmap)#class class-name |
7 |
Configure the traffic that has been match to be sent to the ASA IPS module. Note: When the ASA is configured to fail-close, all traffic will be dropped if the ASA IPS module is unable to be contacted. |
asa(config-pmap-c)#ips {inline | promiscuous} {fail-close | fail-open} [sensor {sensor_name | mapped_name} |
8 |
Exit back into global configuration mode. |
asa(config-pmap-c)#exit asa(config-pmap)#exit |
9 |
Activate the policy my applying it globally or to a specific ASA interface (by name). |
asa(config)#service-policy policy-name {global | interface interface-name} |
Summary
The ASA IPS module opens up the possibility of using a single appliance to do a number of things. However, there are downsides to its add-on functionality. All traffic that is configured in the inline operational mode is limited to the overall throughput possible with the specific ASA IPS module (it differs considerable by which model and module). In very high-bandwidth applications, IPS-only appliances are also offered by Cisco.
Hopefully the content of this article has provided you with at least a little better understanding of the capabilities of this solution and how it can be configured to increase the security of an organization's (small to large) network.