05-18-2010 09:27 AM - edited 03-10-2019 05:00 AM
I have an ASA 5540 with AIP-SSM20. I use Gi0/0 for DMZ1 and Gi0/1 for DMZ2, then I create two virtual sensor: vs0 and Vs1. Could I use policy-map to force vs0 to protect servers in DMZ1 and vs1 to protect servers in DMZ2?
Thank every one alot !
05-18-2010 10:20 AM
Hello,
Yes you can do that. Just create 2 ACL to match the traffic that you want to monitor.
Here is the link to configure the AIP-SSM
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSSM.html#wp1033926
Check this out
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml#c4
ciscoasa#configure terminal ciscoasa(config)#access-list traffic_for_ips deny ip 10.2.2.0 255.255.255.0 192.168.1.0 255.255.255.0 ciscoasa(config)#access-list traffic_for_ips permit ip any 192.168.1.0 255.255.255.0 ciscoasa(config)#access-list traffic_for_ips deny ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0 ciscoasa(config)#access-list traffic_for_ips permit ip 192.168.1.0 255.255.255.0 any ciscoasa(config)#class-map ips_class_map ciscoasa(config-cmap)#match access-list traffic_for_ips ciscoasa(config)#policy-map interface_policy ciscoasa(config-pmap)#class ips_class_map ciscoasa(config-pmap-c)#ips inline fail-open ciscoasa(config)#service-policy interface_policy interface dmz
Apply the Service policy in the DMZ1 and in the DMZ2 Of course the ACL are doing to be different. I think that in the command ciscoasa(config-pmap-c)#ips inline fail-open
you can specify the VS0 or VS1 check this with the interrogation key (?) Hope it helps.
05-18-2010 07:22 PM
Thank for your kindly reply!
I still have an unclear thing. I create two virtual sensors but ASA and AIP-SSM just have one backplane interface Gi0/1; how can I map one interface to two virtual sensors?
05-19-2010 05:02 AM
Please reference the following link for more specifics on assigning multiple virtual sensors within the ASA;
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html
The traffic across the backplane is tagged so that it is accepted by the correct VS once it reaches the AIP-SSM for inspection.
Scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: