Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
ovt Bronze

Diverting traffic going to the specific server to the AIP SSM: bug or featu


Due to limited throughput of the AIP SSM module we would like to only divert specific traffic, destined to our dmz server to it. The server has static configured:

static (dmz,outside) 194.x.y.z

If I apply policy-map to an interface, such as the following:

access-list 100 permit ip any host

class-map IPS

match access-list 100

policy-map IPS

class IPS

ips inline fail-open

service-policy IPS interface dmz

then the SSM sees the following:

- outside->dmz: Src="Attacker", Dst= (Private IP of the Server)

- dmz->outside: Dst="Attacker", Src=194.x.y.z (NATed IP of the Server !!!)

The questions are:

- is this a bug or "feature"?

- what consequencies to the security does it have? For example, this means that SSM module doesn't run TCP normalization code at all... As it cannot build TCP sessions when one half of the session (SYN, for example) has pre-NAT IP and the other (SYN/ACK) - post-NAT IP...

Also, is that correct that divertion of trafic is always done on a per-session basis, not per-packet. I.e. it's ok to not configure second line in the ACL:

access-list 100 permit ip host any

What about connectionless protocols (from the ASA point of view)?

CreatePlease to create content