Cisco Cisco ASA 5512-X Adaptive Security Appliance - No Payload Encryption Guida All'Installazione

The IPS module might be a physical module or a software module, depending on your ASA model. For 
ASA model software and hardware compatibility with the IPS module, see the Cisco ASA 
Compatibility at 

.

The IPS module runs advanced IPS software that provides proactive, full-featured intrusion prevention 
services to stop malicious traffic, including worms and network viruses, before they can affect your 
network. 

The IPS module runs a separate application from the ASA. The IPS module might include an external 
management interface so you can connect to the IPS module directly; if it does not have a management 
interface, you can connect to the IPS module through the ASA interface. Any other interfaces on the 
IPS module, if available for your model, are used for ASA traffic only.

Traffic goes through the firewall checks before being forwarded to the IPS module. When you identify 
traffic for IPS inspection on the ASA, traffic flows through the ASA and the IPS module as follows. 
Note: This example is for “inline mode.” See the ASA configuration guide for information about 
“promiscuous mode,” where the ASA only sends a copy of the traffic to the IPS module.

Traffic enters the ASA.

Incoming VPN traffic is decrypted.

Firewall policies are applied.

Traffic is sent to the IPS module.

The IPS module applies its security policy to the traffic, and takes appropriate actions.

Valid traffic is sent back to the ASA; the IPS module might block some traffic according to its 
security policy, and that traffic is not passed on.

Outgoing VPN traffic is encrypted.

Traffic exits the ASA.