Licensing requirements for the asa ips module, Guidelines and limitations – Cisco ASA 5505 User Manual

Page 1225

Advertising
background image

58-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 58 Configuring the ASA IPS Module

Licensing Requirements for the ASA IPS module

ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X—The IPS management interface
is a separate external Gigabit Ethernet interface. If you cannot use the default address (see the

“Default Settings” section on page 58-6

), you can change the interface IP address and other

network parameters. See the

“Configuring Basic IPS Module Network Settings” section on

page 58-10

. The IPS management IP address can be on the same network as the ASA (connected

through a switch), or on a different network (through a router). If you use a different network,
be sure to set the IPS gateway as appropriate.

ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X—These models run the
ASA IPS module as a software module. The IPS management interface shares the
Management 0/0 interface with the ASA. Separate MAC addresses and IP addresses are
supported for the ASA and ASA IPS module. You must perform configuration of the IPS IP
address within the IPS operating system (using the CLI or ASDM). However, physical
characteristics (such as enabling the interface) are configured on the ASA. You can change the
interface IP address and other network parameters. You should set the default gateway to be an
upstream router instead of the ASA management interface. Because the ASA management
interface does not allow through-traffic, traffic destined to another network is not allowed
through the ASA. See the

“Configuring Basic IPS Module Network Settings” section on

page 58-10

.

ASA 5505—You can use an ASA VLAN to allow access to an internal management IP address
over the backplane. See the

“(ASA 5505) Configuring Basic Network Settings” section on

page 58-11

to change the network settings.

Licensing Requirements for the ASA IPS module

The following table shows the licensing requirements for this feature:

The ASA IPS module requires a separate Cisco Services for IPS license in order to support signature
updates. All other updates are available without a license.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

The ASA 5505 does not support multiple context mode, so multiple context features, such as virtual
sensors, are not supported on the AIP SSC.

Model

License Requirement

ASA 5512-X,
ASA 5515-X,
ASA 5525-X,
ASA 5545-X,
ASA 5555-X

IPS Module License.

1

1.

For failover pairs, both units require the IPS module license.

All other models

Base License.

Advertising