Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5510 and SSM-10 module

Unanswered Question
Nov 2nd, 2005
User Badges:

I have a couple of questions regarding the ASA that deal with the SSM module.

I have read the document "Configuring ASA-SSM" and am confused by the command logic. I realize that you need to specify a service-policy globally that defines the traffic being sent to the SSM module. My concern is that the configuration document lists as one of it's steps to define an ACL for the IPS traffic and then apply it to an interface before configuring the class map, policy map, and service-policy. Why would this ACL need to be applied to an interface when it is being used for defining IPS traffic? Shouldn't the ASA send whatever traffic is defined globally in the service-policy to the SSM without attaching the ACL to an interface?

Also, on the ASA factory default configuration there is a service-policy defined as:

class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

But, if I define a global service-policy for the SSM I would lose this default service-policy as only one global service policy is allowed. Is the default service-policy providing the fixup protocol services as in the PIX that I am used to seeing? If so do I lose this functionality by applying a global service-policy for IPS/

Sorry for the length of the post and thanks for your help in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion