IPS Management Configuration Scenarios on a 5500x IPS Module

Introduction

This document provides configuration scenarios on an Adaptive Security Appliance (ASA) 5500x Intrusion Preventions Systems (IPS) module.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• ASA 5500x IPS modules

Components Used

The information in this document is based on these software and hardware versions:

• ASA 5500x IPS modules

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background

With the introduction of the ASA 5500x and the software implementation of IPS, there are fundamental changes to the way IPS management is allowed to behave.

1. The IPS can only use Management 0/0 interface for external management access.
2. If the ASA has a nameif assigned to Management 0/0, the IPS must have an address in the same subnet as the nameif.
3. You cannot remove the management-only command from the Management 0/0 interface of the ASA.
4. If the ASA tries to route traffic through the management nameif with the "management-only" statement, the ASA drops the traffic.
5. If there is no nameif assigned to the Management 0/0, the IPS functions similarly to the Advanced Inspection and Prevention Security Services Module (AIP-SSM) modules management interface.

These behaviors inhibit communications from the IPS to external networks that pass through the ASA if there is a nameif on the Management 0/0 interface. The ASA drops connections that pass through other interfaces as through-the-box traffic because the IP address belongs to the "management" nameif subnet. This can also cause problems because the IPS needs external gateways in order to route traffic properly to the ASA.

Preface

The IPS module on the ASA 5500X uses the Management 0/0 interface to communicate with the outside world. This document provides information on how to set up this interface in multiple environments.

All scenarios include this basic address scheme:

• ASA outside interface: 203.0.113.1/24
• ASA inside interface: 198.51.100.1/24
• ASA management interface: 192.0.2.1/24
• IPS management address: 192.0.2.2/24

All scenarios assume that the inside interface and Management 0/0 are connected to the same switch.

Note: If there is a nameif assisgned to the ASA Management 0/0 interface, a Layer 3 device with interfaces in both "inside" and "management" nameif sub-networks is required. The IPS also requires that the default gateway for the IPS be located on that Layer 3 device.

Scenarios

Scenario 1

Best Practice for Setup of IPS and ASA Management

1. IPS and ASA management cannot both be accessed through the Management 0/0 interface.
2. There should be no nameif assigned to the ASA Management 0/0 interface. ASA management is accessed on traffic bearing interfaces.
3. The IPS is given an IP address reachable from the “inside” nameif.
4. Access from the “inside” occurs through either the switch or router, without involvement of the ASA.
5. In order to allow management from the outside, create a static Network Address Translation (NAT) for the sensor IP address, or define port forwarding to the appropriate port (port redirection is used in this example).

In this scenario, the IPS management communications to the outside network behaves similar to any other host on the inside network. This is used for signature updates, Global Correlation, and IPS Service License requests.

Configuration:

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 203.0.113.1 255.255.0.0

!!

interface GigabitEthernet0/1
 nameif inside
 security-level 0
 ip address 198.51.100.1 255.255.255.0

!!

interface Management0/0
 no nameif
 security-level 0
 management-only

!!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network IPS-management
 host 198.51.100.2
object network ASA-inside
 host 198.51.100.1
object network ASA-outside
 host 203.0.113.1
object-group service HTTP
 service-object tcp-udp destination eq www
 service-object tcp destination eq https
access-list global_access extended permit ip any any
access-list global_access_1 remark Allow IPS management out through to the internet.
access-list global_access_1 extended permit object-group HTTP object IPS-management
   any
 
nat (inside,outside) source dynamic IPS-management IPS-management interface
 
nat (inside,outside) static IPS-management ASA-outside service tcp 443 65432

!! Use of an ephemeral port allows for the use of common ports for other !! network applications. This also conceals the actual management port by making it !! not well known.

 
ASA# show module ips details | include Mgmt

Mgmt IP addr:       198.51.100.2
Mgmt Network mask:  255.255.255.0
Mgmt Gateway:       198.51.100.1
Mgmt Access List:   0.0.0.0/0
Mgmt web ports:     443
Mgmt TLS enabled:   true

Scenario 2

IPS management is in the same subnet as the “management” nameif and is in a Layer 3 network

1. Point the gateway of the IPS to a Layer 3 interface in the network other than the ASA management nameif IP. This device must support routing between both subnets; for example, 192.0.2.2/24,192.0.2.254.
2. Create a static route on the inside interface of the ASA to point the traffic to the layer 3 interface IP address; for example, route inside 192.0.2.2 255.255.255.255 192.0.1.254.
3. Make sure all access control list (ACL) and NAT rules apply to the IP address of the IPS management.

In this configuration, the IPS sends requests for Global Correlation updates, License requests and IPS signature updates to the default gateway (192.0.2.254), and is translated to the outside address. Return traffic routes back via the inside route and is forwarded to the Layer 3 device that houses an interface in the inside and management networks.

Configuration:

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 203.0.113.1 255.255.0.0 

!!

interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 198.51.100.1 255.255.255.0 

!!

interface Management0/0
 nameif management
 security-level 0
 ip address 192.0.2.1 255.255.255.0 

!!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service HTTP
 service-object tcp-udp destination eq www 
 service-object tcp destination eq https 
access-list global_access extended permit ip any any 
access-list global_access_1 remark Allow IPS management out through to the internet.
access-list global_access_1 extended permit object-group HTTP host 192.0.2.2 any
 
route inside 192.0.2.2 255.255.255.255 198.51.100.254 1



ASA# show module ips details | include Mgmt

Mgmt IP addr:        192.0.2.2
Mgmt Network mask:   255.255.255.0
Mgmt Gateway:        192.0.2.254
Mgmt Access List:    0.0.0.0/0
Mgmt web ports:      443
Mgmt TLS enabled:    true

Scenario 3

IPS management is needed from the outside interface and there is a “management” nameif

1. Point the gateway of the IPS to a Layer 3 interface in the network other than the ASA management nameif IP. This device must support routing between both subnets.
2. Create a static route on the inside interface of the ASA to point the traffic to the Layer 3 interface IP address.
3. Make sure all ACL and NAT rules apply to the IP address of the IPS management.

Everything is the same as above, except an ACL must be written to allow a host from the outside to manage the IPS.

Configuration:

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 203.0.113.1 255.255.0.0 

!!

interface GigabitEthernet0/1
 nameif inside
 security-level 0
 ip address 198.51.100.1 255.255.255.0 

!!

interface Management0/0
 nameif management
 security-level 0
 ip address 192.0.2.1 255.255.255.0 
 management-only

!!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ASA-management
 host 192.0.2.1
object network ASA-inside
 host 198.51.100.1
object network IPS-management
 host 192.0.2.2
object-group service HTTP
 service-object tcp-udp destination eq www 
 service-object tcp destination eq https 
access-list global_access extended permit ip any any 
access-list global_access_1 remark Allow IPS management out through to the internet.
access-list global_access_1 extended permit object-group HTTP object IPS-management
   any 
object-group service MGMT_SERVICES
 service-object tcp-udp destination eq http
 service-object tcp destination eq https
 service-object tcp destination eq ssh
access-list outside_access_in line 1 remark Allow outside management to IPS.
access-list outside_access_in line 2 extended permit object-group MGMT_SERVICES 
   host 203.0.113.1 object IPS-management
access-group outside_access_in in interface outside
 
nat (inside,outside) source dynamic IPS-management IPS-management interface
route inside 192.0.2.2 255.255.255.255 198.51.100.254 1



ASA# show module ips details | include Mgmt

Mgmt IP addr:       192.0.2.2
Mgmt Network mask:  255.255.255.0
Mgmt Gateway:       192.0.2.254
Mgmt Access List:   0.0.0.0/0
Mgmt web ports:     443
Mgmt TLS enabled:   true

Scenario 4

IPSec Tunnel Directly Connected to the ASA

1. Termination of a VPN tunnel to the ASA has the same effect as management from the interface on which you terminate the VPN.
2. Once you have setup your VPN, you need to write a route from the interface on which the VPN terminates to the next-hop to an internal Layer 3 gateway.
3. The IPS management also needs to point to a gateway that does not reside on the ASA, but inside the "management" nameif.
4. If there are no Layer 3 devices behind the ASA, you must remove the "management" nameif and the IP address on the ASA Management 0/0, and then enter the IPS in the "inside" nameifsubnet.

Management traffic that leaves the IPS works the same as in a network without the VPN connection. However, management access must be addressed from the network on which the VPN terminates.

Configuration:

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 203.0.113.1 255.255.0.0

!!

interface GigabitEthernet0/1
 nameif inside
 security-level 0
 ip address 198.51.100.1 255.255.255.0

!!

interface Management0/0
 nameif management
 security-level 0
 ip address 192.0.2.1 255.255.255.0
 management-only

!!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ASA-management
 host 192.0.2.1
object network ASA-inside
 host 198.51.100.1
object network IPS-management
 host 192.0.2.2
object-group service DM_INLINE_SERVICE_1
 service-object tcp-udp destination eq www
 service-object tcp destination eq https
access-list global_access extended permit ip any any
access-list global_access_1 remark Allow IPS management out through to the internet.
access-list global_access_1 extended permit object-group DM_INLINE_SERVICE_1
    object IPS-management any
no pager
logging enable
ip local pool vpn 198.51.100.3-198.51.100.49 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
access-group global_access_1 global
route outside 0.0.0.0 0.0.0.0 203.0.113.2
route inside 192.0.2.2 255.255.255.255 198.51.100.254 1
dynamic-access-policy-record DfltAccessPolicy
 description "access"
 webvpn
  svc ask enable default svc
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
crypto ipsec ikev1 transform-set tranny esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime kilobytes 20000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set
   ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 
   ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
   ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 proxy-ldc-issuer
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
crypto isakmp identity address
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcp-client client-id interface outside
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 port 8080
 enable outside
 enable inside
 dtls port 8080
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
 anyconnect profiles ANYconnect disk0:/anyconnect.xml
 anyconnect enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 address-pools value vpn
 webvpn
  anyconnect profiles value ANYconnect type user

ASA# show module ips detail | include Mgmt
Mgmt IP addr:       192.0.2.2
Mgmt Network mask:  255.255.255.0
Mgmt Gateway:       192.0.2.254
Mgmt Access List:   0.0.0.0/0
Mgmt web ports:     443
Mgmt TLS enabled:   true