Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Config Global policy to use IPS (ASA 5520)

I get an error..ERROR: Policy map global_policy is already configured as a service policy when I try to set up the IPS. How do I correct this config?

--------Attempted Config Change-----------------

HO1ASA01# conf t

HO1ASA01(config)# access-list IPS permit ip any any

HO1ASA01(config)# class-map IPS-CLASS

HO1ASA01(config-cmap)# match access-list IPS

HO1ASA01(config-cmap)# policy-map IPS-POLICY

HO1ASA01(config-pmap)# class IPS-CLASS

HO1ASA01(config-pmap-c)# ips promiscuous fail-open

HO1ASA01(config-pmap-c)# service-policy IPS-POLICY global

ERROR: Policy map global_policy is already configured as a service policy

HO1ASA01(config)#

HO1ASA01(config)#

------Running Config------------------

class-map IPS-CLASS

match access-list IPS

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

policy-map IPS-POLICY

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

2 ACCEPTED SOLUTIONS

Accepted Solutions
Green

Re: Config Global policy to use IPS (ASA 5520)

The reason you got the warning is becuase you already had the line "service-policy global_policy global" in the config. You did not have to re-enter it.

You need to get rid of "policy-map IPS-POLICY.".

Green

Re: Config Global policy to use IPS (ASA 5520)

Here is what it should look like...

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

Notice there is no "policy-map IPS-POLICY" command.

10 REPLIES
Green

Re: Config Global policy to use IPS (ASA 5520)

Add the new class to the existing global_policy instead of creating a new policy.

class-map IPS-CLASS

match access-list IPS

policy-map global_policy

class IPS-CLASS

ips promiscuous fail-open

service-policy global_policy global

New Member

Re: Config Global policy to use IPS (ASA 5520)

Ok the config still looks the same, but this time instead of an error I get a warning.

WARNNING: Policy map global_policy is already configured as a service policy

class-map IPS-CLASS

match access-list IPS

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

policy-map IPS-POLICY

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

Green

Re: Config Global policy to use IPS (ASA 5520)

The reason you got the warning is becuase you already had the line "service-policy global_policy global" in the config. You did not have to re-enter it.

You need to get rid of "policy-map IPS-POLICY.".

New Member

Re: Config Global policy to use IPS (ASA 5520)

Still not seeing any traffic on the IPS.. besides setting a policy to route all traffic to the IPS what else needs to be done?

** THIS IS A PRODUCTION BOX ** I can not guess or try anything that might knock it off line.

Green

Re: Config Global policy to use IPS (ASA 5520)

Here is what it should look like...

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

Notice there is no "policy-map IPS-POLICY" command.

New Member

Re: Config Global policy to use IPS (ASA 5520)

Got it, I was test editng the lines on my last config and put the map back in.. :(

Still no traffic..

Green

Re: Config Global policy to use IPS (ASA 5520)

Do you still have...

class-map IPS-CLASS

match access-list IPS

This may help...

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

New Member

Re: Config Global policy to use IPS (ASA 5520)

will give those a look, they are different from the other "Official Cisco" documents I've been using.

New Member

Re: Config Global policy to use IPS (ASA 5520)

There is an excellent post titled "How do you tell if an ASA-SSM-20 is actually running and filtering traffic?" posted on this same thread, dated Jan 31 2008 that I found extremely helpful on this subject.

New Member

Re: Config Global policy to use IPS (ASA 5520)

Great find! very helpful, seems Cisco needs better documentation on this device.

1662
Views
8
Helpful
10
Replies