Cisco IPS: Allowing Global Correlation update through ASA5505

Management only interface
Cisco ASA has a management only interface which you have to disable in order to allow IPS to get global correlation update.

interface vlan 10
description management
no management-only

management-only command denies traffic that is not destined to the ASA itself. IPS that connects to management-only interface will never get updates from the internet.

Conditional NAT
ASA5505 allows you to restrict on which condition the traffic will be NAT-ed. In order for IPS to receive global correlation updates ASA has to allow destination port: DNS, HTTP and HTTPS.

object network IPS
 host 192.168.100.1
 description IPS MANAGEMENT IP ADDRESS

object service https
 service tcp destination eq https
object service http
 service tcp destination eq www
object network GOOGLE_PRI_DNS
 host 8.8.8.8
 description GOOGLE PRIMARY DNS
object network GOOGLE_SEC_DNS
 host 8.8.4.4
 description GOOGLE SECONDARY DNS
object-group network PUBLIC_DNS
 description PUBLIC DNS SERVERS
 network-object object GOOGLE_PRI_DNS
 network-object object GOOGLE_SEC_DNS

nat (management,outside) source dynamic IPS interface service https https
nat (management,outside) source dynamic IPS interface service http http
nat (management,outside) source dynamic IPS interface service dns dns
The end result of the NAT configuration.

The end result of the NAT configuration.

The NAT configuration only translates the IP address of IPS into the outside interface IP address if the following conditions have been met:
1. The source IP address belongs to IPS.
2. If IPS is requesting DNS.
3. If IPS is requesting HTTP/HTTPS.

Successful global correlation updates

Global correlation health will show successful. Alternatively you can check the global correlation by using show health command in CLI.

Global correlation health will show successful. Alternatively you can check the global correlation by using show health command in CLI.

You need to have IPS license in order to get global correlation updates.

Advertisements
This entry was posted in IDS/IPS, Security and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s