Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Diverting Traffic to AIP-SSM

I'm a little on the new end of all of this so bear with me. I hope I'm in the right forum.

I have an ASA 5510 with an AIP-SSM-10 card that I am configuring for a customer. Everything is up and running except for the diversion of traffic to the AIP. I know that I need an access list to do that but I want to EXCLUDE VPN traffic when I divert. In other word I want the AIP to inspect everything except ipsec. I'm having trouble understanding how to use an access list for everything except VPN traffic. Any help would be greatly appreciated.

Thanks

Brad

2 REPLIES
Silver

Re: Diverting Traffic to AIP-SSM

Brad -

The access list is quite easy. First, you would put your exceptions using deny statements. Next, you would make permits for the traffic you want inspected. Here is an example..

access-list AIP extended deny ip 172.16.1.0 255.255.255.0 any

access-list AIP extended deny ip any 172.16.1.0 255.255.255.0

access-list AIP extended permit ip any any

In this example, the VPN traffic is the 172.16.1.0/245 network. This can be a local range or the ip pool's range.

Please rate helpful posts.

Jay

Community Member

Re: Diverting Traffic to AIP-SSM

Jay,

Thanks for your timely response. I was probably overlooking the obvious but also I was afraid that that would block the traffic altogether. I am testing it now but I think this should be exactly what I needed. Again, I thank you for your help.

Brad

159
Views
0
Helpful
2
Replies
CreatePlease to create content