ASA - Send Traffic to AIP-SSM *AND* Perform Inspections

terrygwazdosky · ‎05-16-2010

I want to send all traffic to the AIP-SSM in my ASA as well as perform the inspections listed in the global_policy map below. What is the best way to accomplish this? Can I just enter "ips inline fail-open" within the "class inspection_default" section?

policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect pptp
inspect rsh
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp error
inspect icmp
inspect ip-options

Federico Coto Fajardo · ‎05-16-2010

Hi,

That's pretty much it.

Do you want to use the IPS in in-line mode or promiscuous mode?

Have you initialized the sensor?

Take a look:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html

Federico.

terrygwazdosky · ‎05-16-2010

I did look at that document, but the way in which it sends traffic to the AIP-SSM makes no mention of application inspection so I was unsure of how to perform both on the same traffic.

Federico Coto Fajardo · ‎05-16-2010

You want to also apply application inspection to that traffic.

The ASA will apply its firewall policies prior to sending the traffic to the AIP-SSM module. Here, depeding on the operation mode of the AIP-SSM, the traffic will actually be send it to the AIP-SSM or only a copy will be sent to the module.

If you have application inspection enabled globally on the ASA (or applied to an interface), the ASA will apply those rules before contacting the AIP-SSM module.

Federico.