Sending traffic to the AIP-SSM and Correct ACL Syntax

Unanswered Question
Jan 5th, 2010

Good afternoon,

I've seen ACLs that state "permit" and I've seen ACLs that state "deny" when attempting to define "interesting" traffic or traffic that should be sent to the AIP-SSM when used in a ASA5510. My question is, If I have a deny statement, does the ASA not send the traffic to the AIP-SSM?

The opposite would almost sound obvious. Also, this ACL is used in conjunction with a match statement. If I were using the same ACL applied to an interface I would definitely be denying traffic into or out of that interface. So, I'm a bit confused with some examples I've seen on this forum where the "deny" statement is used to send traffic to the AIP-SSM. It doesn't look like it would; maybe I need to lab it...



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Tue, 01/05/2010 - 15:00

Whatever is not matched in the ACL that is matched for the modules will not be sent to the modules.

For example the deny statements when hit will make this packet exempted from inspection is the SSM.

The ACL that is applied on the interface is different. That ACL is applied first and is allowing or debying traffic.

I would suggest you to avoid using the same ACL on an interface and as the matched ips ACL, but I believe it is more clear now.

I hope it helps.


Luis Heredia Wed, 01/06/2010 - 05:26

PKampana, I'm not sure I understand your comment. It seems that the "Permit" statement would identify the traffic and send it to the AIP-SSM. If we have a "Deny" statement then the traffic is not sent to the AIP-SSM. If this firewall has a "Public/Outside" interface facing the Internet then it would be mandatory to have a "permit IP any any" in order to examine all traffic coming from the Internet and sending it to the AIP-SSM. Do you think that is correct?

Thanks in advance,


Panos Kampanakis Wed, 01/06/2010 - 06:17

You don't need to open yourself to any packet that is traveling on the outside so that it can be sent through the module.

You want your interface ACLs to allow only things necessary and block the rest.

On the outside interface ACL allow only things you want to be able to reach your inside.

Then the matched ACL will say which of these will be sent through the module for inspection. If that match ACL has ip any any then all things that are allowed on the outside and allowed by the firewall policies will be inspected by the module.

Does it make sense now?


Luis Heredia Wed, 01/06/2010 - 06:34

Yes, makes sense. The outside interface ACL, if any, would only allow traffic to certain devices/services in the DMZ/PSS...of those connections that are permitted I may only need to inspect certain types. So, for the ACL that would be used to send traffic to the AIP-SSM I would have a "Permit"statement for the traffic I do want to inspect and the implicit deny all would keep the rest of the traffic away from the AIP-SSM..I see now the need to have separate ACLs for each purpose..interface and policy..

Have a good day!



This Discussion