Traffic from ASA to IPS

Unanswered Question
Aug 14th, 2008

Hello Everyone,

I have configured an ASA5510 to send all traffic to IPS like bellow as cisco doc described.

access-list IPS extended permit ip any any

class-map my-ips-class

match access-list IPS

policy-map my-ips-policy

class my-ips-class

ips inline fail-close

service-policy my-ips-policy global

And all incommeing traffic from outside should go to IPS. How to make sure that traffic is going to IPS.

If i give command like this

sh service-policy global

its showing below:

Global policy:

Service-policy: my-ips-policy

Class-map: my-ips-class

IPS: card status Up, mode inline fail-close

packet input 12119, packet output 12119, drop 0, reset-drop 0

Then I go to ips and enable a signature definition number 2004 to denay ICMP echo request. In actions i choosed deny packet inline. but still i can ping from outside to inside.

Please advise sir what to do.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
antonyabraham Fri, 08/15/2008 - 06:50

Did you check in the IDM if the signature 2004 is firing? If it is firing, make sure the "Deny packet" option is set correctly.

Trust your virtual sensor vs0 config is completed and the interface Gig0/1 is added to the vs0.

You could also use the "packet dispaly interface Gig 0/1 expression (tcpdump expressions)" on the IPS CLI to see if the sensor is indeed seeing the Echo traffic.

gtuhindhaka Sat, 08/16/2008 - 00:20

Thank you very much sir. Its now working. I didn't add interface Gig0/1 to vs0.

Thanks you.





This Discussion