When configuring an ASA for IPS, does the IPS access list need to be the first access list in the configuration? For example, in our environment, we want to have every packet go through the IPS. So, if my current configuration is as follows, does the access list for the IPS traffic need to be first in the list of access lists or does it not matter?
It does not matter where this ACL is placed ,as according to your ips acl any traffic that pass through the ASA must be inspected by IPS.
Therefore, to-be-inspected traffic can be anything that passes through the ASA, of course that traffic must me allowed by your interface ACL, NAT rules and ASA module inspections before passing through the ips module. see Cisco ASA order of processing.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...