ASA - Send Traffic to AIP-SSM *AND* Perform Inspections

Unanswered Question
May 16th, 2010

I want to send all traffic to the AIP-SSM in my ASA as well as perform the inspections listed in the global_policy map below.  What is the best way to accomplish this?  Can I just enter "ips inline fail-open" within the "class inspection_default" section?

policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect pptp
  inspect rsh
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp error
  inspect icmp
  inspect ip-options

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Sun, 05/16/2010 - 14:55

You want to also apply application inspection to that traffic.

The ASA will apply its firewall policies prior to sending the traffic to the AIP-SSM module. Here, depeding on the operation mode of the AIP-SSM, the traffic will actually be send it to the AIP-SSM or only a copy will be sent to the module.

If you have application inspection enabled globally on the ASA (or applied to an interface), the ASA will apply those rules before contacting the AIP-SSM module.



This Discussion