3

From what I have read, you can use the switchport monitor command on ASA 5505's to setup a Span port due to the back of the ASA actually being a switch.

On my 5520, I do not see the switchport command listed when issuing a ? via the CLI. How do people monitor traffic on non-5505's? My goal is to connect our IDS/IPS device that is running is promiscuous mode to a Ethernet port on the 5520 to monitor WAN traffic.

I do not want to have to pass the WAN traffic through a switch as it would require me to get two (for redundancy) STP/switchport capable switches. Also, we have the 4GE SSM module for fiber WAN connectivity installed on the device so adding the IPS module is not an option.

Our IPS system is the Cisco IPS 4240. Would another option be to have Netflow or verbose syslog messages sent to the IPS device?

Guide to setting up switchport access on a 5505: http://www.wr-mem.com/?p=66

Brent
  • 143
  • 1
  • 3
  • 10

2 Answers2

2

It's possible on the 5505 model, but not the 5510 or higher, since don't have the integrated switch:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
(See the "integrated ports" section)

To set it on the 5505:

ciscoasa> en
ciscoasa# conf t
ciscoasa(config)# int eth0/0
ciscoasa(config-if)# switchport monitor eth0/1

Where eth0/0 is your IDS port and eth0/1 is the interface you want to monitor.

To monitor an interface with the 5510 or higher, you'll need a separate switch with SPAN capabilities.

gharper
  • 5,425
  • 4
  • 29
  • 35
  • 1
    I've tried that: ciscoasa(config-if)# ^switchport monitor g0/3 ERROR: % Invalid input detected at ^ On a 5520 with 8.2 I don't think that a switchport command it an option on anything other than the 5505's. It isn't even showing up in the ? when it lists the available commands. – Brent Apr 28 '10 at 21:24
  • Interesting... Yup, just confirmed that it works on my 5505, but not my 5510. I'll see what else I can dig up. – gharper Apr 28 '10 at 21:42
  • 5510+'s don't have a switch backing to the ports. – Zypher Apr 28 '10 at 21:54
  • @Zypher: Yup, just updated my answer once I found that out. :) – gharper Apr 28 '10 at 21:56
1

As you found out you can't really do that with higher model ASA's. Most people will either use the IPS modules that can you put into the expansion slots of the ASA, or will span the traffic at the switch before the firewall (or any other convenient place).

Zypher
  • 37,405
  • 5
  • 53
  • 95