Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA IPS Access List

When configuring an ASA for IPS, does the IPS access list need to be the first access list in the configuration?  For example, in our environment, we want to have every packet go through the IPS.  So, if my current configuration is as follows, does the access list for the IPS traffic need to be first in the list of access lists or does it not matter?

Current configuration

access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_in_out extended deny tcp any4 any4 eq netbios-ssn
access-list acl_in_out extended deny udp any4 any4 eq 139

New Configuration

access-list traffic_for_ips extended permit ip any4 any4  <------------------------IPS access list on top
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_in_out extended deny tcp any4 any4 eq netbios-ssn
access-list acl_in_out extended deny udp any4 any4 eq 139

or

access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_out extended permit udp host x.x.x.x host y.y.y.y eq 9996
access-list acl_in_out extended deny tcp any4 any4 eq netbios-ssn
access-list acl_in_out extended deny udp any4 any4 eq 139
access-list traffic_for_ips extended permit ip any4 any4  <------------------------IPS access list at bottom

2 REPLIES
Silver

It does not matter where this

It does not matter where this ACL is placed ,as according to your ips acl any traffic that pass through the ASA must be inspected by IPS.

Therefore, to-be-inspected traffic can be anything that passes through the ASA, of course that traffic must me allowed by your interface ACL, NAT rules and ASA module inspections before passing through the ips module. see Cisco ASA order of processing.

 

HTH

"Please do rate helpful posts"

New Member

 

 

Hi routercpu

 

the access-list will classify traffic that will later be used in a policy-map for inspection. So at the end it won't be tied to any interface.

 

The config would be something like this:

ciscoasa(config)#access-list traffic_for_ips permit ip any any
ciscoasa(config)#class-map ips_class_map 
ciscoasa(config-cmap)#match access-list traffic_for_ips


ciscoasa(config)#policy-map global_policy
 

 It's a bit old but this is the guide that I'm referencing from:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71204-traffic-asa-aip-ssm.html#c3

 

HTH

Antonio

18
Views
0
Helpful
2
Replies