05-16-2010 12:55 PM - edited 03-11-2019 10:46 AM
I want to send all traffic to the AIP-SSM in my ASA as well as perform the inspections listed in the global_policy map below. What is the best way to accomplish this? Can I just enter "ips inline fail-open" within the "class inspection_default" section?
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect pptp
inspect rsh
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp error
inspect icmp
inspect ip-options
05-16-2010 01:05 PM
Hi,
That's pretty much it.
Do you want to use the IPS in in-line mode or promiscuous mode?
Have you initialized the sensor?
Take a look:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html
Federico.
05-16-2010 02:09 PM
I did look at that document, but the way in which it sends traffic to the AIP-SSM makes no mention of application inspection so I was unsure of how to perform both on the same traffic.
05-16-2010 02:55 PM
You want to also apply application inspection to that traffic.
The ASA will apply its firewall policies prior to sending the traffic to the AIP-SSM module. Here, depeding on the operation mode of the AIP-SSM, the traffic will actually be send it to the AIP-SSM or only a copy will be sent to the module.
If you have application inspection enabled globally on the ASA (or applied to an interface), the ASA will apply those rules before contacting the AIP-SSM module.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide