Filter
Top Products
5-6
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 5 Configuring Interfaces
Understanding Interfaces
For More Information
For more information on choosing the alternate TCP interface, see Designating the Alternate TCP Reset
Interface, page 5-6.
Designating the Alternate TCP Reset Interface
Note There is only one sensing interface on the ASA IPS modules (ASA 5500 AIP SSM,
ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset
interface.
You need to designate an alternate TCP reset interface in the following situations:
• When a switch is being monitored with either SPAN or VACL capture and the switch does not accept
incoming packets on the SPAN or VACL capture port.
• When a switch is being monitored with either SPAN or VACL capture for multiple VLANs, and the
switch does not accept incoming packets with 802.1q headers. The TCP resets need 802.1q headers
to tell which VLAN the resets should be sent on.
• When a network tap is used for monitoring a connection. Taps do not permit incoming traffic from
the sensor.
Caution You can only assign a sensing interface as an alternate TCP reset interface. You cannot configure the
management interface as an alternate TCP reset interface.
ASA 5585-X IPS SSP-20 None
ASA 5585-X IPS SSP-40 None
ASA 5585-X IPS SSP-60 None
IPS 4240 Any sensing interface
IPS 4255 Any sensing interface
IPS 4260 Any sensing interface
IPS 4270-20 Any sensing interface
IPS 4345 Any sensing interface
IPS 4360 Any sensing interface
IPS 4510 Any sensing interface
IPS 4520 Any sensing interface
Table 5-2 Alternate TCP Reset Interfaces (continued)
Sensor Alternate TCP Reset Interface