IPS INLINE on ASA

jim · ‎10-08-2007

I have an ASA firewall with a built in IPS ASA-SSM-10.

When im running these in "inline" mode it appears sites we send outbound email using TLS will not work. I dont get any error messages in debug mode that the IDS's are blocking this traffic. If i change the IPS to "promiscous mode" the traffic passes. Has anyone else seen this problem and did you find a fix?

Thanks in advance

rmeans · ‎10-12-2007

I have not experienced your problem. I noticed you are changing your config from inline to promiscuous. Until you determine the cause you could leave the IPS in promiscuous mode using this config example:

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml#c

nykoelle01 · ‎10-19-2007

You have two options if you really want to use the inline feature. You can either go through and find every single signature that is configured with an inline action, in other words pretty much anything that is not 'Produce Alert.' Make that list and look and see what of those you really want to be inline, then tune accordingly. I did this with the CSM, which was pretty easy to sort by action, I'm not sure how easy it would be without out.

The other option is to monitor what signatures are fired on the IPS in IDM, and then check their actions. If they're being fired for non-malicious email and the signature is tuned to reset connection, then either retire the signature or tune it down to produce alert.

I would go with the first option to be safe and to know exactly what is getting blocked in your network at all times.