silly doubt about aip-ssm module

Answered Question
May 27th, 2009

when the aip ssm module is in inline mode. does the packet first is scanned by the aip ssm module or it is first checked by the firewall rules whether it is permitted and then sent to aip ssm module.

can someone throw some light on this.

regards

sushil

I have this problem too.
0 votes
Correct Answer by marcabal about 7 years 7 months ago

All firewall rules are applied prior to sending the packets to the SSM.

So if the packet will be dropped by a firewall rule, then the packet will not be sent to the SSM.

If the packet will be modified by a firewall rule, then the modification will be done before being sent to the SSM.

There are only two exceptions, and that is encryption and ultimate transmit of the packet.

Encryption happens after being sent to the SSM, so the SSM alway sees unencrypted traffic (where the ASA is the encryption tunnel end point).

And of course transmit of the packet by the ASA through its external interfafes happens after sending to the SSM.

In the case of promiscuous monitoring by the SSM, the encryption and transmit happen right after a copy is sent to the SSM.

In the case of inline monitoring by the SSM, the encryption and transmit happen only after the SSM has completed its analysis and the packet was not denied by the SSM.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
marcabal Wed, 05/27/2009 - 11:16

All firewall rules are applied prior to sending the packets to the SSM.

So if the packet will be dropped by a firewall rule, then the packet will not be sent to the SSM.

If the packet will be modified by a firewall rule, then the modification will be done before being sent to the SSM.

There are only two exceptions, and that is encryption and ultimate transmit of the packet.

Encryption happens after being sent to the SSM, so the SSM alway sees unencrypted traffic (where the ASA is the encryption tunnel end point).

And of course transmit of the packet by the ASA through its external interfafes happens after sending to the SSM.

In the case of promiscuous monitoring by the SSM, the encryption and transmit happen right after a copy is sent to the SSM.

In the case of inline monitoring by the SSM, the encryption and transmit happen only after the SSM has completed its analysis and the packet was not denied by the SSM.

Actions

This Discussion