Diverting traffic going to the specific server to the AIP SSM: bug or featu
Due to limited throughput of the AIP SSM module we would like to only divert specific traffic, destined to our dmz server to it. The server has static configured:
static (dmz,outside) 194.x.y.z 172.16.1.2
If I apply policy-map to an interface, such as the following:
access-list 100 permit ip any host 172.16.1.2
match access-list 100
ips inline fail-open
service-policy IPS interface dmz
then the SSM sees the following:
- outside->dmz: Src="Attacker", Dst=172.16.1.2 (Private IP of the Server)
- dmz->outside: Dst="Attacker", Src=194.x.y.z (NATed IP of the Server !!!)
The questions are:
- is this a bug or "feature"?
- what consequencies to the security does it have? For example, this means that SSM module doesn't run TCP normalization code at all... As it cannot build TCP sessions when one half of the session (SYN, for example) has pre-NAT IP and the other (SYN/ACK) - post-NAT IP...
Also, is that correct that divertion of trafic is always done on a per-session basis, not per-packet. I.e. it's ok to not configure second line in the ACL:
access-list 100 permit ip host 172.16.1.2 any
What about connectionless protocols (from the ASA point of view)?
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...