Cisco Cisco ASA for Nexus 1000V Series Switch Guía De Instalación
2
1
Information About the IPS Module on the ASA
The IPS module might be a physical module or a software module, depending on your ASA model. For
ASA model software and hardware compatibility with the IPS module, see the Cisco ASA
Compatibility at
ASA model software and hardware compatibility with the IPS module, see the Cisco ASA
Compatibility at
.
The IPS module runs advanced IPS software that provides proactive, full-featured intrusion prevention
services to stop malicious traffic, including worms and network viruses, before they can affect your
network.
services to stop malicious traffic, including worms and network viruses, before they can affect your
network.
The IPS module runs a separate application from the ASA. The IPS module might include an external
management interface so you can connect to the IPS module directly; if it does not have a management
interface, you can connect to the IPS module through the ASA interface. Any other interfaces on the
IPS module, if available for your model, are used for ASA traffic only.
management interface so you can connect to the IPS module directly; if it does not have a management
interface, you can connect to the IPS module through the ASA interface. Any other interfaces on the
IPS module, if available for your model, are used for ASA traffic only.
Traffic goes through the firewall checks before being forwarded to the IPS module. When you identify
traffic for IPS inspection on the ASA, traffic flows through the ASA and the IPS module as follows.
Note: This example is for “inline mode.” See the ASA configuration guide for information about
“promiscuous mode,” where the ASA only sends a copy of the traffic to the IPS module.
traffic for IPS inspection on the ASA, traffic flows through the ASA and the IPS module as follows.
Note: This example is for “inline mode.” See the ASA configuration guide for information about
“promiscuous mode,” where the ASA only sends a copy of the traffic to the IPS module.
1.
Traffic enters the ASA.
2.
Incoming VPN traffic is decrypted.
3.
Firewall policies are applied.
4.
Traffic is sent to the IPS module.
5.
The IPS module applies its security policy to the traffic, and takes appropriate actions.
6.
Valid traffic is sent back to the ASA; the IPS module might block some traffic according to its
security policy, and that traffic is not passed on.
security policy, and that traffic is not passed on.
7.
Outgoing VPN traffic is encrypted.
8.
Traffic exits the ASA.