Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4600
Views
8
Helpful
10
Replies

Config Global policy to use IPS (ASA 5520)

Go to solution
rmaxson2
Level 1
Level 1

‎02-06-2008 06:48 AM - edited ‎03-10-2019 03:58 AM

I get an error..ERROR: Policy map global_policy is already configured as a service policy when I try to set up the IPS. How do I correct this config?

--------Attempted Config Change-----------------

HO1ASA01# conf t

HO1ASA01(config)# access-list IPS permit ip any any

HO1ASA01(config)# class-map IPS-CLASS

HO1ASA01(config-cmap)# match access-list IPS

HO1ASA01(config-cmap)# policy-map IPS-POLICY

HO1ASA01(config-pmap)# class IPS-CLASS

HO1ASA01(config-pmap-c)# ips promiscuous fail-open

HO1ASA01(config-pmap-c)# service-policy IPS-POLICY global

ERROR: Policy map global_policy is already configured as a service policy

HO1ASA01(config)#

HO1ASA01(config)#

------Running Config------------------

class-map IPS-CLASS

match access-list IPS

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

policy-map IPS-POLICY

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to rmaxson2

‎02-06-2008 12:13 PM

The reason you got the warning is becuase you already had the line "service-policy global_policy global" in the config. You did not have to re-enter it.

You need to get rid of "policy-map IPS-POLICY.".

View solution in original post

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to rmaxson2

‎02-06-2008 12:18 PM

Here is what it should look like...

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

Notice there is no "policy-map IPS-POLICY" command.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
acomiskey
Level 10
Level 10

‎02-06-2008 06:53 AM

Add the new class to the existing global_policy instead of creating a new policy.

class-map IPS-CLASS

match access-list IPS

policy-map global_policy

class IPS-CLASS

ips promiscuous fail-open

service-policy global_policy global

Go to solution
rmaxson2
Level 1
Level 1
In response to acomiskey

‎02-06-2008 12:10 PM

Ok the config still looks the same, but this time instead of an error I get a warning.

WARNNING: Policy map global_policy is already configured as a service policy

class-map IPS-CLASS

match access-list IPS

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

policy-map IPS-POLICY

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to rmaxson2

‎02-06-2008 12:13 PM

The reason you got the warning is becuase you already had the line "service-policy global_policy global" in the config. You did not have to re-enter it.

You need to get rid of "policy-map IPS-POLICY.".

0 Helpful

Go to solution
rmaxson2
Level 1
Level 1
In response to acomiskey

‎02-06-2008 12:20 PM

Still not seeing any traffic on the IPS.. besides setting a policy to route all traffic to the IPS what else needs to be done?

** THIS IS A PRODUCTION BOX ** I can not guess or try anything that might knock it off line.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to rmaxson2

‎02-06-2008 12:18 PM

Here is what it should look like...

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

Notice there is no "policy-map IPS-POLICY" command.

0 Helpful

Go to solution
rmaxson2
Level 1
Level 1
In response to acomiskey

‎02-06-2008 12:27 PM

Got it, I was test editng the lines on my last config and put the map back in.. :(

Still no traffic..

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to rmaxson2

‎02-06-2008 12:29 PM

Do you still have...

class-map IPS-CLASS

match access-list IPS

This may help...

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

0 Helpful

Go to solution
rmaxson2
Level 1
Level 1
In response to acomiskey

‎02-06-2008 12:55 PM

will give those a look, they are different from the other "Official Cisco" documents I've been using.

0 Helpful

Go to solution
pdriscoll
Level 1
Level 1
In response to rmaxson2

‎02-06-2008 03:09 PM

There is an excellent post titled "How do you tell if an ASA-SSM-20 is actually running and filtering traffic?" posted on this same thread, dated Jan 31 2008 that I found extremely helpful on this subject.

Go to solution
rmaxson2
Level 1
Level 1
In response to pdriscoll

‎02-07-2008 06:29 AM

Great find! very helpful, seems Cisco needs better documentation on this device.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card