Options
Putting an ASA5510 Interface into Promisuous mode...
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
Can it be done?
(EDIT: More importantly can I spell "promisCuous")
We have an AIPSSM-10 installed running 6.03-E1 and an ASA5510 running 8.03 with plenty of cpu cycles left on both. I'd like to use one of the free ethernet ports on the ASA as an IDS sensor connected to a SPAN port on the central telecoms switch (mainly to cover traffic that uses our EVPN service and not the ASA). I've configured a second promiscuous-mode policy on the ASA and can apply it to the interface easily enough but how can I set that port as promiscuous itself (can it even be done)? I was going to use the existing VS0 sensor but can configure a 2nd if need be.
Anyone tried this?
(EDIT: More importantly can I spell "promisCuous")
We have an AIPSSM-10 installed running 6.03-E1 and an ASA5510 running 8.03 with plenty of cpu cycles left on both. I'd like to use one of the free ethernet ports on the ASA as an IDS sensor connected to a SPAN port on the central telecoms switch (mainly to cover traffic that uses our EVPN service and not the ASA). I've configured a second promiscuous-mode policy on the ASA and can apply it to the interface easily enough but how can I set that port as promiscuous itself (can it even be done)? I was going to use the existing VS0 sensor but can configure a 2nd if need be.
Anyone tried this?
We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Comments
-
OptionsAhriakin
Member Posts: 1,799 ■■■■■■■■□□
Answering my own question but just in case anyone ever gets here by a search for something similar. I checked with TAC (yesterday it clicked that since we actually do have current Smartnets on the hardware now I can use them..duh). It's impossible, ASA interfaces cannot be set as sensing ports for the AIPSSM. The traffic has to route through the ASA to hit the AIPSSM backplane, would be nice if they added the functionality though I can't imagine it would be that hard to do.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?