12-17-2007 04:05 PM - edited 03-10-2019 03:54 AM
Hi all,
I need some help regarding a deployment of a IPS module on a ASA. I configured it in transparent mode, with the intention to only monitor the traffic going through the module. Otherwise after aplying the policy and put it in operation, it started blocking SMTP and ICMP traffic. Here follows the configuration applied to it:
class-map outside-class
match any
policy-map outside-policy
class outside-class
ips promiscuous fail-open
!
service-policy outside-policy interface outside
Is there anything else I should consider to put this module just monitoring the traffic instead of having it denying any traffic?
Thanks in Advance
12-18-2007 08:55 AM
You may need to create an access-list permitting all traffic, and then apply the access-list to both interfaces in both directions (in and out).
This will ensure connections can go from the lower security zone to the higher as well as from the higher security zone to the lower.
You may also need to add icmp permit lines to permit icmp traffic through each interface.
12-18-2007 09:15 AM
Thanks Marcabal for your reply. I'll proceed with the changes and let you know about the results.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: