ASA 5510 Config Question

Unanswered Question

We have an ASA 5510 with AIP-SSM10 and will be migrating 515E ruleset in the future. For right now I want to use the ASA behind the PIX as a bridge in order to use the IPS functionality. Would tranparent mode with access lists that allow all traffic both directions work in this situation? I don't want to drop any packets, just mirror traffic to IPS for inspection and alerting.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Thanks for the reply Sushil, I read that document but still have a few questions that maybe you could help me with?

Could I assign a security-level of 100 to both interfaces and check the box to "allow communications between interfaces with the same security level" or just use the permit any,any access lists?

I followed instructions exactly to forward all traffic to AIP-SSM for inspection but recieve an error. Here is my config.

I would appreciate any input.

Thank you very much

ACCESS LISTS

ASA5510# sh access-list

access-list Inside_access_in extended permit ip any any

access-list Inside_access_out extended permit ip any any

access-list Outside_access_out extended permit ip any any

access-list Outside_access_in extended permit ip any any

access-list IPS extended permit ip any any

AIP SSM CONFIG

ASA5510(config)# access-list IPS permit ip any any

ASA5510(config)# class-map lwc-ips-class

ASA5510(config-cmap)# match access-list IPS

ASA5510(config-cmap)# policy-map lwc-ips-policy

ASA5510(config-pmap)# class lwc-ips-class

ASA5510(config-pmap-c)# ips promiscuous fail-open

ASA5510(config-pmap-c)# service-policy lwc-ips-policy global

ERROR: Policy map global_policy is already configured as a service policy

suschoud Fri, 03/09/2007 - 13:17

Could I assign a security-level of 100 to both interfaces and check the box to "allow communications between interfaces with the same security level" or just use the permit any,any access lists?

----yes.you can do this.

AIP SSM CONFIG

ASA5510(config)# access-list IPS permit ip any any

ASA5510(config)# class-map lwc-ips-class

ASA5510(config-cmap)# match access-list IPS

ASA5510(config-cmap)# policy-map lwc-ips-policy

ASA5510(config-pmap)# class lwc-ips-class

ASA5510(config-pmap-c)# ips promiscuous fail-open

ASA5510(config-pmap-c)# service-policy lwc-ips-policy global

ERROR: Policy map global_policy is already configured as a service policy

___ans:

ASA-5520-CSC-Standalone(config)# access-list IPS extended permit ip any any

ASA-5520-CSC-Standalone(config)#

ASA-5520-CSC-Standalone(config)# class-map lwc-ips-class

ASA-5520-CSC-Standalone(config-cmap)# match access-list IPS

ASA-5520-CSC-Standalone(config-cmap)# exit

ASA-5520-CSC-Standalone(config)# policy-map global_policy

ASA-5520-CSC-Standalone(config-pmap)# class lwc-ips-class

ASA-5520-CSC-Standalone(config-pmap-c)# ips promiscuous fail-open

ASA-5520-CSC-Standalone(config-pmap-c)# exit

ASA-5520-CSC-Standalone(config-pmap)# exit

ASA-5520-CSC-Standalone(config)# service-policy global_policy global

HTH..

Regards,

Sushil

Cisco TAC

Actions

This Discussion