AIP SSM and stateful inspection

Unanswered Question

I realize there are a number of threads with this topic already, but I don't see that they answer the question of how to specify that the ASA inspect traffic and also send such traffic to the SSM.  If you try to add an 'ips' command to the inspectio_default class you get the following error messafe:

SSI-STL-B1-DC-ASA-01(config-pmap-c)# ips prom fail-open
ERROR: Only 'inspect' action is allowed for the class with 'match default-inspection-traffic'.  You also get an error if you try to add more than one inpect command to a class that does not have match default-inspection-traffic.

If you add another class after that, with a 'match any' or permit any any ACL, it will be accepted, and some traffic is passed to the IPS, but not the inspected trafrfic, if I understand policy map matching correctly.  If the order of the classes were reversed, all traffic would be sent to the IPS, but then nothing would be inspected.

The essence of the problem seems to be that a policy map matches exactly one class, and you can;t mix inspect and ips statements in one class.

I might be able to do a match-any class, and then include both a match default-inspection-traffic and an 'ip permit any any' staement, but then I think the ASA would inspect all traffic, which I'm sure would have a performance impact.

Maybe this by design.  Clarification would be appreciated.  Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Panos Kampanakis Thu, 09/09/2010 - 11:27
User Badges:
  • Cisco Employee,

I can propose 2 workarounds:

- You can inspect under the global policy and pass to the module on an interface policy.

- If the inspections are done on the default inspection class the inspections will happen.

So, in general inspections under 2 separately created classes (not the default inspection traffic class) in the same policy map will apply only for the first class. But as long as you inspection under the default you will be fine.

I hope it makes sense.



I've done some digging, and it looks like there's a simple answer:  The actions applied in the policy map are divided into features - inspect is one, IPS, CSC, QOS, etc. are others.  Only one class clause will be applied per feature, but if the actions reference different features, more than one class clause will be applied to the packet overall.  So, if you put inspect statement under one class, and IPS under another, both will be applied (unless inspect causes the packet to be dropped).  That's in line with the examples, but the explanation on how policy maps apply classes doesn't elaborate on this, I found it buried in the discussion on Modular Policy Framework.  Thanks for the reply.

Panos Kampanakis Thu, 09/09/2010 - 12:53
User Badges:
  • Cisco Employee,


There was a defect in the past where if you have 2 classes matching (not denying, but allowing) the same packet and the ips was second, it wouldn't kick in. That was not the case with the default policy though.




This Discussion