Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
2
Replies

ASA IPS Access List

routercpu
Level 1
Level 1

‎04-20-2014 09:51 AM - edited ‎03-10-2019 06:11 AM

When configuring an ASA for IPS, does the IPS access list need to be the first access list in the configuration?  For example, in our environment, we want to have every packet go through the IPS.  So, if my current configuration is as follows, does the access list for the IPS traffic need to be first in the list of access lists or does it not matter?

Current configuration

access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_in_out extended deny tcp any4 any4 eq netbios-ssn
access-list acl_in_out extended deny udp any4 any4 eq 139

New Configuration

access-list traffic_for_ips extended permit ip any4 any4  <------------------------IPS access list on top
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_in_out extended deny tcp any4 any4 eq netbios-ssn
access-list acl_in_out extended deny udp any4 any4 eq 139

or

access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_in_out extended deny tcp any4 any4 eq netbios-ssn
access-list acl_in_out extended deny udp any4 any4 eq 139
access-list traffic_for_ips extended permit ip any4 any4  <------------------------IPS access list at bottom

Labels:
0 Helpful
2 Replies 2

Poonam Garg
Level 3
Level 3

‎04-21-2014 11:32 PM

It does not matter where this ACL is placed ,as according to your ips acl any traffic that pass through the ASA must be inspected by IPS.

Therefore, to-be-inspected traffic can be anything that passes through the ASA, of course that traffic must me allowed by your interface ACL, NAT rules and ASA module inspections before passing through the ips module. see Cisco ASA order of processing.

 

HTH

"Please do rate helpful posts"

0 Helpful

ahurtadove
Level 1
Level 1

‎05-08-2014 10:13 PM

 

Hi routercpu

 

the access-list will classify traffic that will later be used in a policy-map for inspection. So at the end it won't be tied to any interface.

 

The config would be something like this:

ciscoasa(config)#access-list traffic_for_ips permit ip any any
ciscoasa(config)#class-map ips_class_map 
ciscoasa(config-cmap)#match access-list traffic_for_ips



ciscoasa(config)#policy-map global_policy
 

 It's a bit old but this is the guide that I'm referencing from:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71204-traffic-asa-aip-ssm.html#c3

 

HTH

Antonio

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card