Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA with AIP-SSM: Statefull Inspection and IPS Inspection simultaneosly

Hello,

What is the best approach in the following case:

The ASA5510 with the AIP-SSM-10 is currently configured with a global policy to inspect traffic on all interfaces:

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

I want to forward all the traffic to the IPS module for inline inspection, but I can't do it for the default-inspection-traffic. I get this error:

ERROR: Only 'inspect' action is allowed for the class with 'match default-inspection-traffic'.

The best that I can do is this, and I don't like it:

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class class-default

ips inline fail-open

!

service-policy global_policy global

Is there a best practice for this scenario? How should I do this?

Thanks!

2 REPLIES
New Member

Re: ASA with AIP-SSM: Statefull Inspection and IPS Inspection si

Try this:

access-list traffic_for_ips extended permit ip any any

class-map ips_class_map

match access-list traffic_for_ips

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect http

inspect netbios

inspect sunrpc

inspect tftp

inspect xdmcp

inspect esmtp

class ips_class_map

ips inline fail-open

New Member

Re: ASA with AIP-SSM: Statefull Inspection and IPS Inspection si

Hogoqo,

Thanks for the reply. Does this config mean that "default-inspection-traffic" will not be sent to the IPS module?

What I initially wanted was to send ALL traffic to the IPS module, and also use statefull inspection for the default-inspection-traffic.

Is this a bad practice (to send all traffic to the IPS module)?

The ASA is configured with 3 interfaces (inside, outside, dmz), with an e-mail server in the DMZ. In the future, there will also be e-commerce servers in the DMZ.

Should I send to the IPS module only traffic that has the destination as one of the DMZ servers?

I am new to IPS, and kind of confused.

Thanks!

243
Views
0
Helpful
2
Replies