Config Global policy to use IPS (ASA 5520)

Answered Question

I get an error..ERROR: Policy map global_policy is already configured as a service policy when I try to set up the IPS. How do I correct this config?



--------Attempted Config Change-----------------


HO1ASA01# conf t

HO1ASA01(config)# access-list IPS permit ip any any

HO1ASA01(config)# class-map IPS-CLASS

HO1ASA01(config-cmap)# match access-list IPS

HO1ASA01(config-cmap)# policy-map IPS-POLICY

HO1ASA01(config-pmap)# class IPS-CLASS

HO1ASA01(config-pmap-c)# ips promiscuous fail-open

HO1ASA01(config-pmap-c)# service-policy IPS-POLICY global

ERROR: Policy map global_policy is already configured as a service policy

HO1ASA01(config)#

HO1ASA01(config)#


------Running Config------------------


class-map IPS-CLASS

match access-list IPS


class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024


policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp


policy-map IPS-POLICY

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global




Correct Answer by acomiskey about 9 years 4 months ago

Here is what it should look like...


policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global


Notice there is no "policy-map IPS-POLICY" command.

Correct Answer by acomiskey about 9 years 4 months ago

The reason you got the warning is becuase you already had the line "service-policy global_policy global" in the config. You did not have to re-enter it.


You need to get rid of "policy-map IPS-POLICY.".

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
acomiskey Wed, 02/06/2008 - 06:53
User Badges:
  • Green, 3000 points or more

Add the new class to the existing global_policy instead of creating a new policy.


class-map IPS-CLASS

match access-list IPS

policy-map global_policy

class IPS-CLASS

ips promiscuous fail-open

service-policy global_policy global

Ok the config still looks the same, but this time instead of an error I get a warning.


WARNNING: Policy map global_policy is already configured as a service policy


class-map IPS-CLASS

match access-list IPS


class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024


policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

policy-map IPS-POLICY

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global



Correct Answer
acomiskey Wed, 02/06/2008 - 12:13
User Badges:
  • Green, 3000 points or more

The reason you got the warning is becuase you already had the line "service-policy global_policy global" in the config. You did not have to re-enter it.


You need to get rid of "policy-map IPS-POLICY.".

Correct Answer
acomiskey Wed, 02/06/2008 - 12:18
User Badges:
  • Green, 3000 points or more

Here is what it should look like...


policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global


Notice there is no "policy-map IPS-POLICY" command.

pdriscoll Wed, 02/06/2008 - 15:09
User Badges:

There is an excellent post titled "How do you tell if an ASA-SSM-20 is actually running and filtering traffic?" posted on this same thread, dated Jan 31 2008 that I found extremely helpful on this subject.

Actions

This Discussion