cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
526
Views
0
Helpful
2
Replies

Traffic Inspection with AIP-SSM

jens.becker
Level 1
Level 1

Hi,

I try to send specific traffic (with ACL) to a separate sensor in the aip-ssm.

When I check the counters of the vs on the module, there is no traffic inspected.

My config looks like the following:

ACL:

access-list ips_dmz permit ip any host x.x.x.x

access-list ips_dmz permit ip host x.x.x.x any

------------------

Class-Map:

class-map ips_dmz

match access-list ips_dmz

class-map ips_default

match any

------------------

Policy-Map:

policy-map ips_policy

class ips_dmz

ips inline fail-close sensor vs1

class ips_default

ips inline fail-open sensor vs0

------------------

Service-Policy:

service-policy ips_policy interface outside

service-policy ips_policy interface inside

service-policy ips_policy interface dmz1

Any ideas??

There is no difference, if I use an ACL to mark traffic or if I specify a TCP or UDP Port in the class-map.

The traffic inspection on vs0 runs perfect.

Regards,

Jens

1 Accepted Solution

Accepted Solutions

chip.wagner
Level 1
Level 1

if you look at cisco's documentation they actually specify separate service policies. rather than grouping your class maps in a single policy. And then applying the individual service policies to the appropriate interfaces. http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html#wp1046943 I know i used this similar configuration at my last job, and it worked like a champ.

View solution in original post

2 Replies 2

jbohla
Level 1
Level 1

You can configure the inspection and protection policy, which determines how to inspect traffic and what to do when an intrusion is detected.

http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/clissm.html

http://www.cisco.com/en/US/docs/security/ips/5.0/command/reference/cmdref.html

chip.wagner
Level 1
Level 1

if you look at cisco's documentation they actually specify separate service policies. rather than grouping your class maps in a single policy. And then applying the individual service policies to the appropriate interfaces. http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html#wp1046943 I know i used this similar configuration at my last job, and it worked like a champ.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: