Config Global policy to use IPS (ASA 5520)

Answered Question

I get an error..ERROR: Policy map global_policy is already configured as a service policy when I try to set up the IPS. How do I correct this config?

--------Attempted Config Change-----------------

HO1ASA01# conf t

HO1ASA01(config)# access-list IPS permit ip any any

HO1ASA01(config)# class-map IPS-CLASS

HO1ASA01(config-cmap)# match access-list IPS

HO1ASA01(config-cmap)# policy-map IPS-POLICY

HO1ASA01(config-pmap)# class IPS-CLASS

HO1ASA01(config-pmap-c)# ips promiscuous fail-open

HO1ASA01(config-pmap-c)# service-policy IPS-POLICY global

ERROR: Policy map global_policy is already configured as a service policy

HO1ASA01(config)#

HO1ASA01(config)#

------Running Config------------------

class-map IPS-CLASS

match access-list IPS

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

policy-map IPS-POLICY

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

I have this problem too.
0 votes
Correct Answer by acomiskey about 8 years 9 months ago

Here is what it should look like...

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

Notice there is no "policy-map IPS-POLICY" command.

Correct Answer by acomiskey about 8 years 9 months ago

The reason you got the warning is becuase you already had the line "service-policy global_policy global" in the config. You did not have to re-enter it.

You need to get rid of "policy-map IPS-POLICY.".

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
acomiskey Wed, 02/06/2008 - 06:53

Add the new class to the existing global_policy instead of creating a new policy.

class-map IPS-CLASS

match access-list IPS

policy-map global_policy

class IPS-CLASS

ips promiscuous fail-open

service-policy global_policy global

Ok the config still looks the same, but this time instead of an error I get a warning.

WARNNING: Policy map global_policy is already configured as a service policy

class-map IPS-CLASS

match access-list IPS

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

policy-map IPS-POLICY

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

Correct Answer
acomiskey Wed, 02/06/2008 - 12:13

The reason you got the warning is becuase you already had the line "service-policy global_policy global" in the config. You did not have to re-enter it.

You need to get rid of "policy-map IPS-POLICY.".

Correct Answer
acomiskey Wed, 02/06/2008 - 12:18

Here is what it should look like...

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

Notice there is no "policy-map IPS-POLICY" command.

pdriscoll Wed, 02/06/2008 - 15:09

There is an excellent post titled "How do you tell if an ASA-SSM-20 is actually running and filtering traffic?" posted on this same thread, dated Jan 31 2008 that I found extremely helpful on this subject.

Actions

This Discussion