Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA - Send Traffic to AIP-SSM *AND* Perform Inspections

I want to send all traffic to the AIP-SSM in my ASA as well as perform the inspections listed in the global_policy map below.  What is the best way to accomplish this?  Can I just enter "ips inline fail-open" within the "class inspection_default" section?

policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect pptp
  inspect rsh
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp error
  inspect icmp
  inspect ip-options


Re: ASA - Send Traffic to AIP-SSM *AND* Perform Inspections


That's pretty much it.

Do you want to use the IPS in in-line mode or promiscuous mode?

Have you initialized the sensor?

Take a look:


Community Member

Re: ASA - Send Traffic to AIP-SSM *AND* Perform Inspections

I did look at that document, but the way in which it sends traffic to the AIP-SSM makes no mention of application inspection so I was unsure of how to perform both on the same traffic.

Re: ASA - Send Traffic to AIP-SSM *AND* Perform Inspections

You want to also apply application inspection to that traffic.

The ASA will apply its firewall policies prior to sending the traffic to the AIP-SSM module. Here, depeding on the operation mode of the AIP-SSM, the traffic will actually be send it to the AIP-SSM or only a copy will be sent to the module.

If you have application inspection enabled globally on the ASA (or applied to an interface), the ASA will apply those rules before contacting the AIP-SSM module.


CreatePlease to create content