Home > Articles > Cisco Network Technology > General Networking > Configuring the Cisco ASA IPS Module

Configuring the Cisco ASA IPS Module

Article Description

With the ongoing threat of network attacks existing for almost all companies that are connected to the Internet, there is often a need to set up some type of intrusion detection system (IDS) or intrusion protection system (IPS).

The main differences between an IDS and an IPS is in what happens when the device detects an attack. An IDS will detect the attack and alert the network administrators/engineers; an IPS has the ability to directly block the attack traffic once it has been detected. This can proactively prevent a good amount of damage to the internal network.

Cisco's Adaptive Security Appliance (ASA) line adds this ability with an additional piece of hardware of software, depending on the base ASA model. Sean Wilkins takes a look at this additional capability, what it offers, and how it can be configured to monitor traffic through an ASA.

Virtual Sensors

ASA IPS Module Configuration

In an effort to keep this a little organized, the next few sections will split up the major sections of configuration.

ASA IPS Module Network Configuration

The first thing to cover is how to configure the basic network settings of the IPS module, assuming that the defaults are not acceptable. The way to do this differs between the ASA 5505 and all of the other models.

For the ASA 5505, the first thing to set up is the management VLAN. The process to configure these settings is shown in Table 1:

Table 1: ASA 5505 IPS Module Basic Network Settings

1

Enter privileged EXEC mode.

asa>enable

2

Enter global configuration mode.

asa#configure terminal

3

Enter interface configuration mode (this is the current management VLAN interface).

asa(config)#interface vlan vlan

4

Disable IPS management.

asa(config-if)#no allow-sec-mgmt

5

Enter interface configuration mode (this is the new management VLAN interface).

asa(config-if)#interface vlan vlan

6

Enable IPS management.

asa(config-if)#allow-sec-mgmt

7

Exit Configuration mode.

asa(config-if)#end

8

Configure the ASA IPS module management IP address.

Note: This IP address must be in the same subnet as the management VLAN interface configured in step 5. The gateway is the IP address of this same VLAN interface.

asa#hw-module module 1 ip ip_address netmask gateway

9

Configure the host(s) that are allowed to access the ASA IPS Module management address.

asa#hw-module module 1 allow-ip ip-address netmask

For all other ASA modules, the first step is to session into the ASA IPS module. For the models using a software IPS module, there are two different methods to do this, as shown in Table 2:

Table 2: ASA IPS Module Session Methods (ASA 5510+)

1

To access the ASA IPS module via telnet, for hardware IPS modules

asa#session 1


OR


1

To access the ASA IPS module via telnet, for software IPS modules.

asa#session ips


OR


1

To access the ASA IPS module via console, for software IPS modules.

asa#session ips console

Virtual Sensor Configuration

When using the ASA IPS module with multiple contexts the use of virtual sensors can be very useful, this section will review the basic command that is used within each contexts system execution space. The name that is given to the virtual sensor within this section can then be used within the configuration shown in the next section.

To configure a virtual sensor, there is only a single command that is used within each context (see Table 3).

Table 3: Configuring ASA IPS Module Virtual Sensors

1

Enter privileged EXEC mode.

asa>enable

2

Enter global configuration mode.

asa#configure terminal

3

Enter the specific context execution space.

asa(config)#context context-name

4

Assign a virtual sensor to the context.

asa(config-ctx)#allocate-ips sensor-name [mapped_name] [default]

ASA IPS Module Policy Configuration

For the ASA to know which traffic to forward to the IPS module, there needs to be a policy configured. All the specific options for matching traffic will not be covered in this article, but the basic commands will be shown for clarity. Table 4 will review the steps needed to create an ASA IPS module policy.

Table 4: Configuring ASA IPS Module Policy

1

Enter privileged EXEC mode.

asa>enable

2

Enter global configuration mode.

asa#configure terminal

3

Create a class map.

asa(config)#class-map class-name

4

Specify a traffic match statement (or statements)

Note: there are a number of different match statement possibilities.

asa(config-cmap)#match parameter

5

Create a policy map.

asa(config-cmap)#policy-map policy-name

6

Link the previously created class map with the policy.

Note: Multiple class maps can be linked to the same policy map.

asa(config-pmap)#class class-name

7

Configure the traffic that has been match to be sent to the ASA IPS module.

Note: When the ASA is configured to fail-close, all traffic will be dropped if the ASA IPS module is unable to be contacted.

asa(config-pmap-c)#ips {inline | promiscuous} {fail-close | fail-open} [sensor {sensor_name | mapped_name}

8

Exit back into global configuration mode.

asa(config-pmap-c)#exit

asa(config-pmap)#exit

9

Activate the policy my applying it globally or to a specific ASA interface (by name).

asa(config)#service-policy policy-name {global | interface interface-name}

Summary

The ASA IPS module opens up the possibility of using a single appliance to do a number of things. However, there are downsides to its add-on functionality. All traffic that is configured in the inline operational mode is limited to the overall throughput possible with the specific ASA IPS module (it differs considerable by which model and module). In very high-bandwidth applications, IPS-only appliances are also offered by Cisco.

Hopefully the content of this article has provided you with at least a little better understanding of the capabilities of this solution and how it can be configured to increase the security of an organization's (small to large) network.