04-20-2014 09:51 AM - edited 03-10-2019 06:11 AM
When configuring an ASA for IPS, does the IPS access list need to be the first access list in the configuration? For example, in our environment, we want to have every packet go through the IPS. So, if my current configuration is as follows, does the access list for the IPS traffic need to be first in the list of access lists or does it not matter?
Current configuration
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_in_out extended deny tcp any4 any4 eq netbios-ssn
access-list acl_in_out extended deny udp any4 any4 eq 139
New Configuration
access-list traffic_for_ips extended permit ip any4 any4 <------------------------IPS access list on top
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_in_out extended deny tcp any4 any4 eq netbios-ssn
access-list acl_in_out extended deny udp any4 any4 eq 139
or
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_in_out extended deny tcp any4 any4 eq netbios-ssn
access-list acl_in_out extended deny udp any4 any4 eq 139
access-list traffic_for_ips extended permit ip any4 any4 <------------------------IPS access list at bottom
04-21-2014 11:32 PM
It does not matter where this ACL is placed ,as according to your ips acl any traffic that pass through the ASA must be inspected by IPS.
Therefore, to-be-inspected traffic can be anything that passes through the ASA, of course that traffic must me allowed by your interface ACL, NAT rules and ASA module inspections before passing through the ips module. see Cisco ASA order of processing.
HTH
"Please do rate helpful posts"
05-08-2014 10:13 PM
Hi routercpu
the access-list will classify traffic that will later be used in a policy-map for inspection. So at the end it won't be tied to any interface.
The config would be something like this:
ciscoasa(config)#access-list traffic_for_ips permit ip any any ciscoasa(config)#class-map ips_class_map ciscoasa(config-cmap)#match access-list traffic_for_ips
ciscoasa(config)#policy-map global_policy
It's a bit old but this is the guide that I'm referencing from:
HTH
Antonio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide