Table Of Contents
Cisco IPS Module on the ASA
Information About the IPS Module on the ASA
Connecting Management Interface Cables
Launching the Adaptive Security Device Manager (ASDM) on the ASA
(ASA 5512-X through ASA 5555-X) License Requirements
(ASA 5505) Setting Up the IPS Module for Management
Configuring the IPS Security Policy
Configuring the ASA to Use the IPS Module
Where to Go Next
Quick Start Guide
Cisco IPS Module on the ASA
1 Information About the IPS Module on the ASA
The IPS module might be a physical module or a software module, depending on your ASA model. For ASA model software and hardware compatibility with the IPS module, see the Cisco ASA Compatibility at http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html.
The IPS module runs advanced IPS software that provides proactive, full-featured intrusion prevention services to stop malicious traffic, including worms and network viruses, before they can affect your network.
The IPS module runs a separate application from the ASA. The IPS module might include an external management interface so you can connect to the IPS module directly; if it does not have a management interface, you can connect to the IPS module through the ASA interface. Any other interfaces on the IPS module, if available for your model, are used for ASA traffic only.
Traffic goes through the firewall checks before being forwarded to the IPS module. When you identify traffic for IPS inspection on the ASA, traffic flows through the ASA and the IPS module as follows. Note: This example is for "inline mode." See the ASA configuration guide for information about "promiscuous mode," where the ASA only sends a copy of the traffic to the IPS module.
1.  Traffic enters the ASA.
|
2. Incoming VPN traffic is decrypted.
|
3. Firewall policies are applied.
|
4. Traffic is sent to the IPS module.
|
5. The IPS module applies its security policy to the traffic, and takes appropriate actions.
|
6. Valid traffic is sent back to the ASA; the IPS module might block some traffic according to its security policy, and that traffic is not passed on.
|
7. Outgoing VPN traffic is encrypted.
|
8. Traffic exits the ASA.
|
The following figure shows the traffic flow when running the IPS module in inline mode. In this example, the IPS module automatically blocks traffic that it identified as an attack. All other traffic is forwarded through the ASA.
2 Connecting Management Interface Cables
•ASA 5505
The ASA 5505 does not have a dedicated management interface. You must use an ASA VLAN to access an internal management IP address over the backplane. Connect the management PC to one of the following ports: Ethernet 0/1 through 0/7, which are assigned to VLAN 1.
•ASA 5512-X through ASA 5555-X (Software Module)
These models run the IPS module as a software module, and the IPS management interface shares the Management 0/0 interface with the ASA.
•ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Physical Module)
Connect to the ASA Management 0/0 interface and the IPS Management 1/0 interface.
3 Launching the Adaptive Security Device Manager (ASDM) on the ASA
Step 1 On the management PC, launch a web browser.
Step 2 In the Address field, enter the following URL: https://192.168.1.1/admin
Step 3 Click Run ASDM to run the Java Web Start application. Alternatively, you can download the ASDM-IDM Launcher (Windows only). See the ASA configuration guide for more information.
Step 4 Accept any certificates according to the dialog boxes that appear. The Cisco ASDM-IDM Launcher dialog box appears.
Step 5 Leave the username and password fields empty, and click OK. The main ASDM window appears.
4 (ASA 5512-X through ASA 5555-X) License Requirements
For the ASA 5512-X through the ASA 5555-X, the ASA requires the IPS Module license. To view your current licenses, in ASDM choose Home > Device Dashboard > Device Information > Device License. For more information about ASA licenses, see the licensing chapter in the configuration guide.
5 (ASA 5505) Setting Up the IPS Module for Management
Step 1 If you are configuring the IPS module for the first time, in the ASDM main window choose Configuration > Device Setup > SSC Setup.
If you click the IPS tab before you have configured the IPS module, the Stop dialog box appears. Click OK to have ASDM redirect you to the SSC Setup pane. You must define the settings in the SSC Setup pane before you can access any part of the GUI.
Step 2 In the Management Interface and Management Access List areas, accept the default settings.
Step 3 In the IPS Password area, do the following:
a. Enter the password. The default password is cisco.
b. Enter the new password, and confirm the change.
Step 4 Click Apply to save the settings to the running configuration. The SSC Setup completed dialog box appears after the initial configuration.
6 Configuring the IPS Security Policy
Step 1 To access the IPS Device Manager (IDM) from ASDM, click Configuration > IPS. You are asked for the IP address or hostname of the IPS module, as well as the username and password.
Step 2 Accept the default IP address and port (192.168.1.2:443). The default username is cisco. The default password is cisco; for the ASA 5505, if you changed the password as part of the initial module setup, enter the new password here. To save the login information on your local PC, check the Save IPS login information on local host check box.
Step 3 Click Continue. The Startup Wizard pane appears.
Note If the IPS module is running Version 5.x or earlier, ASDM displays a link to IDM.
Step 4 Click Launch Startup Wizard. Complete the screens as prompted. For more information, see the IDM online help.
7 Configuring the ASA to Use the IPS Module
All traffic sent over the backplane to the IPS module has the IPS security policy applied. Complete the following steps to determine what traffic to send to the IPS module:
Step 1 Choose Configuration > Firewall > Service Policy Rules.
Step 2 Choose Add > Add Service Policy Rule. The Add Service Policy Rule Wizard - Service Policy dialog box appears.
Step 3 Complete the Service Policy dialog box, and then the Traffic Classification Criteria dialog box as desired. See the ASDM online help for more information about these screens.
Step 4 Click Next to show the Add Service Policy Rule Wizard - Rule Actions dialog box.
Step 5 Click the Intrusion Prevention tab.
Step 6 Check the Enable IPS for this traffic flow check box.
Step 7 In the Mode area, click Inline Mode or Promiscuous Mode.
Step 8 In the If IPS Card Fails area, click Permit traffic or Close traffic. The Close traffic option sets the ASA to block all traffic if the IPS module is unavailable. The Permit traffic option sets the ASA to allow all traffic through, uninspected, if the IPS module is unavailable. For information about the IPS Sensor Selection area, see the ASDM online help.
Step 9 Click OK and then Apply.
Step 10 Repeat this procedure to configure additional traffic flows as desired.
8 Where to Go Next
•(Optional) Configure advanced IPS options, including virtual sensors. See the IDM online help or the documentation roadmap for your version:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_documentation_roadmaps_list.html
•(Optional) Configure virtual sensors on the ASA. See the online help or the IPS chapter in the configuration guide for your ASA version:
http://www.cisco.com/go/docs
