not getting traffic from ASA to AIP-SSM-20.

Answered Question
Nov 20th, 2009

Hi,

we are having Cisco ASA 5510 and we recently added Cisco AIP-SSM. we configured sensor and as well as ASA also but we are not getting any logs in ADM. please help me on this.

please find attached Sersor Configuration and version of IPS module and ASA.

Regards,

Yugandhar. M

I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 7 years 1 month ago

On the ASA you need

access-list aip-acl extended deny ip any any 
class-map aip-class
match access-list aip-acl
policy-map global_policy
class aip-class
  ips inline fail-open
service-policy global_policy global

so that it will send traffic to the AIP for inspection.

I hope it helps.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Panos Kampanakis Tue, 11/24/2009 - 11:37

On the ASA you need

access-list aip-acl extended deny ip any any 
class-map aip-class
match access-list aip-acl
policy-map global_policy
class aip-class
  ips inline fail-open
service-policy global_policy global

so that it will send traffic to the AIP for inspection.

I hope it helps.

PK

yugandharm Thu, 11/26/2009 - 22:35

HI PK,

thanks for your support,

i tried with this and it is working fine.

one more problem is i tried to block yahoo web chat with Signature ID 11212 but it was not blocking yahoo chat. please find the attached screensot also.

Thanks & Regards,

Yugandhar. M

Do you have the IPS configured as inline on the ASA?   The configuration posted above does configure it as inline.   Try in the IPS configuration setting the High risk action to "Deny Attacker Inline", "Log Attacker Packets", and "Product Alerts".    The "Request Block Host"  Action only works with ARC.

If you have configure the IPS as an inline device, the actions used  on packet or connection should be inline actions.

yugandharm Fri, 12/04/2009 - 01:17

thanks for your solution

it is working but after some time the host which is trying to access yahoo web chat is going to Blocked host or denied attckers list. at that time the local host is not getting internet.

For example i was changed Yahoo HTTP proxy chat signature ID changed to High or medium. i tried to access yahoo web chat from 192.168.1.234 which is lcoak IP, then it is blocking yahoo chat as well as internet and the host IP is going to blocked hosts or denied attackers list.

as per your suggestion the HIGH risk action changed as per you and medicum i changed to log attcker IP.

please suggest me fine tuning the IPS

Regards,

Yugandhar. M

Actions

This Discussion