Cisco Cisco IPS 4255 Sensor Libro bianco
White Paper
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 6
Part 3 Deployment Scenarios
This section covers three specific deployment scenarios and how an AIP-SSM should be deployed
and configured in these examples, along with possible caveats.
Single Appliance
The first deployment is the single Cisco ASA appliance in a non-high-availability deployment
(Figure 1). This is the most straightforward Cisco ASA deployment, where a single appliance is
used to segment different networks. In this example, the Cisco ASA appliance sits between the
Internet and the DMZ and internal networks.
Figure 1. Single Adaptive Security Appliance
Putting a Cisco ASA appliance into this deployment is simple: the only concern is defining the
traffic policy. Example policies might be to inspect traffic from outside to the DMZ, or inside in IPS
mode and traffic from inside to DMZ or outside in IDS mode.
Pair of Appliances
The second deployment option a pair of Cisco ASA appliances in an active-passive high-
availability deployment (Figure 2).
Figure 2. Appliances in Active-Passive Deployment
Putting AIP-SSMs into this deployment is quite simple as well. In this design, traffic always flows in
and out of a single Cisco ASA appliance, whichever is active at the time. Since the appliance is
responsible for tracking and enforcing session state, the normalizer in the AIP-SSM isn’t included