Cisco Systems ASA 5585-X Manual De Usuario
31-5
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 31 Configuring the ASA IPS Module
Licensing Requirements for the ASA IPS module
See the following information about the management interface:
–
ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X—The IPS management interface
is a separate external Gigabit Ethernet interface.
is a separate external Gigabit Ethernet interface.
–
ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X—These models run the
ASA IPS module as a software module. The IPS management interface shares the
Management 0/0 interface with the ASA. Separate MAC addresses and IP addresses are
supported for the ASA and ASA IPS module. You must perform configuration of the IPS
IP address within the IPS operating system (using the CLI or ASDM). However, physical
characteristics (such as enabling the interface) are configured on the ASA. You can remove the
ASA interface configuration (specifically the interface name) to dedicate this interface as an
IPS-only interface. This interface is management-only.
ASA IPS module as a software module. The IPS management interface shares the
Management 0/0 interface with the ASA. Separate MAC addresses and IP addresses are
supported for the ASA and ASA IPS module. You must perform configuration of the IPS
IP address within the IPS operating system (using the CLI or ASDM). However, physical
characteristics (such as enabling the interface) are configured on the ASA. You can remove the
ASA interface configuration (specifically the interface name) to dedicate this interface as an
IPS-only interface. This interface is management-only.
–
ASA 5505—You can use an ASA VLAN to allow access to an internal management IP address
over the backplane.
over the backplane.
Licensing Requirements for the ASA IPS module
The following table shows the licensing requirements for this feature:
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
The ASA 5505 does not support multiple context mode, so multiple context features, such as virtual
sensors, are not supported on the AIP SSC.
sensors, are not supported on the AIP SSC.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Model Guidelines
•
See the Cisco ASA Compatibility Matrix for information about which models support which
modules:
modules:
Model
License Requirement
ASA 5512-X,
ASA 5515-X,
ASA 5525-X,
ASA 5545-X,
ASA 5555-X
ASA 5515-X,
ASA 5525-X,
ASA 5545-X,
ASA 5555-X
IPS Module License.
Note
The IPS module license lets you run the IPS software module on the ASA. You must also
purchase a separate IPS signature subscription; for failover, purchase a subscription for each
unit. To obtain IPS signature support, you must purchase the ASA with IPS pre-installed (the
part number must include “IPS”). The combined failover cluster license does not let you pair
non-IPS and IPS units. For example, if you buy the IPS version of the ASA 5515-X (part
number ASA5515-IPS-K9) and try to make a failover pair with a non-IPS version (part
number ASA5515-K9), then you will not be able to obtain IPS signature updates for the
ASA5515-K9 unit, even though it has an IPS module license inherited from the other unit.
purchase a separate IPS signature subscription; for failover, purchase a subscription for each
unit. To obtain IPS signature support, you must purchase the ASA with IPS pre-installed (the
part number must include “IPS”). The combined failover cluster license does not let you pair
non-IPS and IPS units. For example, if you buy the IPS version of the ASA 5515-X (part
number ASA5515-IPS-K9) and try to make a failover pair with a non-IPS version (part
number ASA5515-K9), then you will not be able to obtain IPS signature updates for the
ASA5515-K9 unit, even though it has an IPS module license inherited from the other unit.
All other models
Base License.