Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPS ASA configuration

Hi,

I have a question regarding operation steps on IPS on ASA - while configuring access list for interesting traffic, do I need to use really or NATed addresses. Precisely, NAT and than access list or access list and than NAT?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: IPS ASA configuration

Keep the extended ACL close to the source and use the REAL IP address. NAT occurs within the ASA, so you are dealing with externals.

If you have 6 or 14 external, public IP addresses from your ISP, you can NAT ... otherwise you are stuck with PAT.

For inbound to outside: use the actual,REAL, public IP addresses you have been assigned by your ISP to permit certain traffic inbound. This could be access-list 100 or a named extended access list, such as "inbound-outside".

For inbound to inside interface: use the internal private IP address scheme [192.168.x.x, 172.16.x.x-172.31.255,10.0.0.0] with appropriate subnet mask to permit traffic from inside to outside for your users. Most folks open the "permit ip any any" here, but I prefer limiting to the specific internal, private address only. This might be access-list 102 or a named access-lsit such as "inbound_inside".

Traffic, which is not "permitted", will be implicitly denied.

3 REPLIES
Silver

Re: IPS ASA configuration

Hi,

When you apply service-policy for IPS inspection, either on a specific interface/globally, "ingress" traffic on the interface is sent to the module.

For example, if you apply the policy on the inside interface of ASA, traffic coming into ASA on the inside interface, destined for outside/dmz/etc, will be sent to IPS module, before applying nat rules.

If you apply the policy on the outside interface of ASA, traffic coming into ASA on the utside interface, destined for inside/dmz/etc, will be sent to IPS module, before applying un-nat/nat rules.

if you apply the policy globally, all traffic coming into ASA on the its interfaces, will be sent to IPS module, before applying nat rules.

Hope this clears things for you.

Regards,

Vibhor.

New Member

Re: IPS ASA configuration

Keep the extended ACL close to the source and use the REAL IP address. NAT occurs within the ASA, so you are dealing with externals.

If you have 6 or 14 external, public IP addresses from your ISP, you can NAT ... otherwise you are stuck with PAT.

For inbound to outside: use the actual,REAL, public IP addresses you have been assigned by your ISP to permit certain traffic inbound. This could be access-list 100 or a named extended access list, such as "inbound-outside".

For inbound to inside interface: use the internal private IP address scheme [192.168.x.x, 172.16.x.x-172.31.255,10.0.0.0] with appropriate subnet mask to permit traffic from inside to outside for your users. Most folks open the "permit ip any any" here, but I prefer limiting to the specific internal, private address only. This might be access-list 102 or a named access-lsit such as "inbound_inside".

Traffic, which is not "permitted", will be implicitly denied.

New Member

Re: IPS ASA configuration

Great answer. Thanks

167
Views
0
Helpful
3
Replies