ASA 5510 Config Question

Unanswered Question
Mar 9th, 2007
User Badges:

We have an ASA 5510 with AIP-SSM10 and will be migrating 515E ruleset in the future. For right now I want to use the ASA behind the PIX as a bridge in order to use the IPS functionality. Would tranparent mode with access lists that allow all traffic both directions work in this situation? I don't want to drop any packets, just mirror traffic to IPS for inspection and alerting.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
brobertson@lwcky.com Fri, 03/09/2007 - 12:53
User Badges:

Thanks for the reply Sushil, I read that document but still have a few questions that maybe you could help me with?


Could I assign a security-level of 100 to both interfaces and check the box to "allow communications between interfaces with the same security level" or just use the permit any,any access lists?


I followed instructions exactly to forward all traffic to AIP-SSM for inspection but recieve an error. Here is my config.


I would appreciate any input.


Thank you very much


ACCESS LISTS

ASA5510# sh access-list

access-list Inside_access_in extended permit ip any any

access-list Inside_access_out extended permit ip any any


access-list Outside_access_out extended permit ip any any

access-list Outside_access_in extended permit ip any any


access-list IPS extended permit ip any any



AIP SSM CONFIG


ASA5510(config)# access-list IPS permit ip any any

ASA5510(config)# class-map lwc-ips-class

ASA5510(config-cmap)# match access-list IPS

ASA5510(config-cmap)# policy-map lwc-ips-policy

ASA5510(config-pmap)# class lwc-ips-class

ASA5510(config-pmap-c)# ips promiscuous fail-open

ASA5510(config-pmap-c)# service-policy lwc-ips-policy global

ERROR: Policy map global_policy is already configured as a service policy


suschoud Fri, 03/09/2007 - 13:17
User Badges:
  • Gold, 750 points or more

Could I assign a security-level of 100 to both interfaces and check the box to "allow communications between interfaces with the same security level" or just use the permit any,any access lists?

----yes.you can do this.



AIP SSM CONFIG


ASA5510(config)# access-list IPS permit ip any any

ASA5510(config)# class-map lwc-ips-class

ASA5510(config-cmap)# match access-list IPS

ASA5510(config-cmap)# policy-map lwc-ips-policy

ASA5510(config-pmap)# class lwc-ips-class

ASA5510(config-pmap-c)# ips promiscuous fail-open

ASA5510(config-pmap-c)# service-policy lwc-ips-policy global

ERROR: Policy map global_policy is already configured as a service policy



___ans:



ASA-5520-CSC-Standalone(config)# access-list IPS extended permit ip any any

ASA-5520-CSC-Standalone(config)#

ASA-5520-CSC-Standalone(config)# class-map lwc-ips-class

ASA-5520-CSC-Standalone(config-cmap)# match access-list IPS

ASA-5520-CSC-Standalone(config-cmap)# exit

ASA-5520-CSC-Standalone(config)# policy-map global_policy

ASA-5520-CSC-Standalone(config-pmap)# class lwc-ips-class

ASA-5520-CSC-Standalone(config-pmap-c)# ips promiscuous fail-open

ASA-5520-CSC-Standalone(config-pmap-c)# exit


ASA-5520-CSC-Standalone(config-pmap)# exit

ASA-5520-CSC-Standalone(config)# service-policy global_policy global



HTH..

Regards,

Sushil

Cisco TAC





Actions

This Discussion