Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
ovt Bronze
Bronze

ASA -> SSM order of operation

This is about ASA/SSM packets processing. Does SSM receives post-nat or pre-nat packets? When (in the packets processing path) does ASA send packets to the SSM?

Documentation is very unclear here: "The security appliance diverts packets to the AIP SSM just before the packet exits the egress interface or before VPN encryption occurs, if configured) and after other firewall policies are applied."

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/ids.htm#wp1050693

On the other hand the same documentation says that IPS is the "ingress feature if the policy-map is applied globally and bidirectional if the policy-map is applied to an interface".

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/mpc.htm#wp1083060

It is important for the ASA to see either pre-NAT (private) IP addresses or post-NAT addresses for *both* the outgoing and incoming traffic. Otherwise it will not be able to build session table for STREAM signatures. It is important for us to know how does it work, because I personally prefer to see pre-NAT (private) addresses (of my internal hosts/servers) in alerts, not the single PAT address.

So, the step by step description of packets processing is needed for a) traffic going from the inside to the outside with NAT configured and b) for packets returning from the outside to the inside. And this should be documented for both applying the policy-map globally and to the interface.

Can anybody, perhaps cisco, shed some light on this?

Thx.

128
Views
0
Helpful
0
Replies
CreatePlease to create content