We upgraded all our ASA's last weekend to 8.2.3. The IPS modules were left on the version of code they were using when the ASA's were on 220.127.116.11.
Since the upgrade, I am seeing something on the IPS sensors that doesnt make sense. When looking at the real time monitor, I am only seeing internal traffic addresses showing up in the attacker column and outside ip addresses showing up on the victim column in IPS ME.
Here is the config lines from the ASA as it concerns the IPS Module -
access-list ips extended permit ip any any
class-map ips match access-list ips
policy-map global_policy class ips ips inline fail-open sensor vs0
As I understand it, how you control what traffic the IPS Sensor sees is controlled at the ASA, not the IPS module.
The ASA is operating normally and I can see the traffic I would expect to on the inside and outside interfaces. I am starting to suspect a bug in the new ASA code but wanted to see if anyone else had seen this before I called TAC.
You are correct that the configured policy map controls the traffic that is diverted to the AIP-SSM for inspection.
I've not encountered the behavior you are decribing. What version of software is present on the AIP-SSM?
What is the most common signature event that is firing (possibly 3030/0)? It is possible that you have internal traffic that is frequently matching on a signature and this will cause those addresses to be listed as the attackers.
From the CLI of the AIP-SSM, if you issue the following command, do you see traffic sourced from both internal and external hosts:
packet display gigabitethernet0/1
You can terminate this output by issuing ctrl-c. If this output does include traffic sourced from both internal and external hosts, the ASA is sending the traffic as expected. It will be necessary at this point to dig further into the firing events on the AIP-SSM to verify expected output.
Thanks for the command. I can see two way traffic. That confirms that I am seeing in IPS ME. I have 5 IPS sensors I am watching. They are running 6.2.2.E4. I have a test sensor in the lab that is on 7.0.2.E4. I am considering moving to 7.x but our local Cisco office has advised me to wait for the time being (that conversation was a while back - havent seen a reason to move from the 6.2 train to 7.x).
I normally dont go more than a day with getting an alert about a signature firing. It has been quiet for a while now. That change in behavior occured around the same time as the upgarde on the ASA to 8.2.3. It may be purely coincidental. Just trying to err on the side of caution. Maybe a finally have it tuned to an optimal level.
It does sounds like it may have been coincidental - but should you have concern over the behavior in the future, just let us know.
As for reasons to upgrade from 6.2 to 7.0 IPS software, the addition of global correlation allows additional defensive mechanisms for protecting you network. You can find out more about global correlation here:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...