IPS ASA configuration

Answered Question
May 16th, 2008

Hi,

I have a question regarding operation steps on IPS on ASA - while configuring access list for interesting traffic, do I need to use really or NATed addresses. Precisely, NAT and than access list or access list and than NAT?

I have this problem too.
0 votes
Correct Answer by samuellthomasjr about 8 years 8 months ago

Keep the extended ACL close to the source and use the REAL IP address. NAT occurs within the ASA, so you are dealing with externals.

If you have 6 or 14 external, public IP addresses from your ISP, you can NAT ... otherwise you are stuck with PAT.

For inbound to outside: use the actual,REAL, public IP addresses you have been assigned by your ISP to permit certain traffic inbound. This could be access-list 100 or a named extended access list, such as "inbound-outside".

For inbound to inside interface: use the internal private IP address scheme [192.168.x.x, 172.16.x.x-172.31.255,10.0.0.0] with appropriate subnet mask to permit traffic from inside to outside for your users. Most folks open the "permit ip any any" here, but I prefer limiting to the specific internal, private address only. This might be access-list 102 or a named access-lsit such as "inbound_inside".

Traffic, which is not "permitted", will be implicitly denied.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
vitripat Fri, 05/16/2008 - 15:32

Hi,

When you apply service-policy for IPS inspection, either on a specific interface/globally, "ingress" traffic on the interface is sent to the module.

For example, if you apply the policy on the inside interface of ASA, traffic coming into ASA on the inside interface, destined for outside/dmz/etc, will be sent to IPS module, before applying nat rules.

If you apply the policy on the outside interface of ASA, traffic coming into ASA on the utside interface, destined for inside/dmz/etc, will be sent to IPS module, before applying un-nat/nat rules.

if you apply the policy globally, all traffic coming into ASA on the its interfaces, will be sent to IPS module, before applying nat rules.

Hope this clears things for you.

Regards,

Vibhor.

Correct Answer
samuellthomasjr Sun, 05/18/2008 - 12:31

Keep the extended ACL close to the source and use the REAL IP address. NAT occurs within the ASA, so you are dealing with externals.

If you have 6 or 14 external, public IP addresses from your ISP, you can NAT ... otherwise you are stuck with PAT.

For inbound to outside: use the actual,REAL, public IP addresses you have been assigned by your ISP to permit certain traffic inbound. This could be access-list 100 or a named extended access list, such as "inbound-outside".

For inbound to inside interface: use the internal private IP address scheme [192.168.x.x, 172.16.x.x-172.31.255,10.0.0.0] with appropriate subnet mask to permit traffic from inside to outside for your users. Most folks open the "permit ip any any" here, but I prefer limiting to the specific internal, private address only. This might be access-list 102 or a named access-lsit such as "inbound_inside".

Traffic, which is not "permitted", will be implicitly denied.

Actions

This Discussion