02-06-2008 06:48 AM - edited 03-10-2019 03:58 AM
I get an error..ERROR: Policy map global_policy is already configured as a service policy when I try to set up the IPS. How do I correct this config?
--------Attempted Config Change-----------------
HO1ASA01# conf t
HO1ASA01(config)# access-list IPS permit ip any any
HO1ASA01(config)# class-map IPS-CLASS
HO1ASA01(config-cmap)# match access-list IPS
HO1ASA01(config-cmap)# policy-map IPS-POLICY
HO1ASA01(config-pmap)# class IPS-CLASS
HO1ASA01(config-pmap-c)# ips promiscuous fail-open
HO1ASA01(config-pmap-c)# service-policy IPS-POLICY global
ERROR: Policy map global_policy is already configured as a service policy
HO1ASA01(config)#
HO1ASA01(config)#
------Running Config------------------
class-map IPS-CLASS
match access-list IPS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map IPS-POLICY
class IPS-CLASS
ips promiscuous fail-open
!
service-policy global_policy global
Solved! Go to Solution.
02-06-2008 12:13 PM
The reason you got the warning is becuase you already had the line "service-policy global_policy global" in the config. You did not have to re-enter it.
You need to get rid of "policy-map IPS-POLICY.".
02-06-2008 12:18 PM
Here is what it should look like...
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class IPS-CLASS
ips promiscuous fail-open
!
service-policy global_policy global
Notice there is no "policy-map IPS-POLICY" command.
02-06-2008 06:53 AM
Add the new class to the existing global_policy instead of creating a new policy.
class-map IPS-CLASS
match access-list IPS
policy-map global_policy
class IPS-CLASS
ips promiscuous fail-open
service-policy global_policy global
02-06-2008 12:10 PM
Ok the config still looks the same, but this time instead of an error I get a warning.
WARNNING: Policy map global_policy is already configured as a service policy
class-map IPS-CLASS
match access-list IPS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map IPS-POLICY
class IPS-CLASS
ips promiscuous fail-open
!
service-policy global_policy global
02-06-2008 12:13 PM
The reason you got the warning is becuase you already had the line "service-policy global_policy global" in the config. You did not have to re-enter it.
You need to get rid of "policy-map IPS-POLICY.".
02-06-2008 12:20 PM
Still not seeing any traffic on the IPS.. besides setting a policy to route all traffic to the IPS what else needs to be done?
** THIS IS A PRODUCTION BOX ** I can not guess or try anything that might knock it off line.
02-06-2008 12:18 PM
Here is what it should look like...
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class IPS-CLASS
ips promiscuous fail-open
!
service-policy global_policy global
Notice there is no "policy-map IPS-POLICY" command.
02-06-2008 12:27 PM
Got it, I was test editng the lines on my last config and put the map back in.. :(
Still no traffic..
02-06-2008 12:29 PM
Do you still have...
class-map IPS-CLASS
match access-list IPS
This may help...
http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
02-06-2008 12:55 PM
will give those a look, they are different from the other "Official Cisco" documents I've been using.
02-06-2008 03:09 PM
There is an excellent post titled "How do you tell if an ASA-SSM-20 is actually running and filtering traffic?" posted on this same thread, dated Jan 31 2008 that I found extremely helpful on this subject.
02-07-2008 06:29 AM
Great find! very helpful, seems Cisco needs better documentation on this device.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: