silly doubt about aip-ssm module

Answered Question
May 27th, 2009
User Badges:

when the aip ssm module is in inline mode. does the packet first is scanned by the aip ssm module or it is first checked by the firewall rules whether it is permitted and then sent to aip ssm module.


can someone throw some light on this.


regards


sushil

Correct Answer by marcabal about 8 years 1 day ago

All firewall rules are applied prior to sending the packets to the SSM.

So if the packet will be dropped by a firewall rule, then the packet will not be sent to the SSM.

If the packet will be modified by a firewall rule, then the modification will be done before being sent to the SSM.


There are only two exceptions, and that is encryption and ultimate transmit of the packet.

Encryption happens after being sent to the SSM, so the SSM alway sees unencrypted traffic (where the ASA is the encryption tunnel end point).

And of course transmit of the packet by the ASA through its external interfafes happens after sending to the SSM.


In the case of promiscuous monitoring by the SSM, the encryption and transmit happen right after a copy is sent to the SSM.


In the case of inline monitoring by the SSM, the encryption and transmit happen only after the SSM has completed its analysis and the packet was not denied by the SSM.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
marcabal Wed, 05/27/2009 - 11:16
User Badges:
  • Cisco Employee,

All firewall rules are applied prior to sending the packets to the SSM.

So if the packet will be dropped by a firewall rule, then the packet will not be sent to the SSM.

If the packet will be modified by a firewall rule, then the modification will be done before being sent to the SSM.


There are only two exceptions, and that is encryption and ultimate transmit of the packet.

Encryption happens after being sent to the SSM, so the SSM alway sees unencrypted traffic (where the ASA is the encryption tunnel end point).

And of course transmit of the packet by the ASA through its external interfafes happens after sending to the SSM.


In the case of promiscuous monitoring by the SSM, the encryption and transmit happen right after a copy is sent to the SSM.


In the case of inline monitoring by the SSM, the encryption and transmit happen only after the SSM has completed its analysis and the packet was not denied by the SSM.



Actions

This Discussion