Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

not getting traffic from ASA to AIP-SSM-20.

Hi,

we are having Cisco ASA 5510 and we recently added Cisco AIP-SSM. we configured sensor and as well as ASA also but we are not getting any logs in ADM. please help me on this.

please find attached Sersor Configuration and version of IPS module and ASA.

Regards,

Yugandhar. M

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: not getting traffic from ASA to AIP-SSM-20.

On the ASA you need

access-list aip-acl extended deny ip any any 
class-map aip-class
match access-list aip-acl
policy-map global_policy
class aip-class
  ips inline fail-open
service-policy global_policy global

so that it will send traffic to the AIP for inspection.

I hope it helps.

PK

5 REPLIES
New Member

Re: not getting traffic from ASA to AIP-SSM-20.

Did you configure your ASA to the send traffic to the sensor?  You probably need to set up a service-policy on the ASA to send traffic to the AIP module.

Cisco Employee

Re: not getting traffic from ASA to AIP-SSM-20.

On the ASA you need

access-list aip-acl extended deny ip any any 
class-map aip-class
match access-list aip-acl
policy-map global_policy
class aip-class
  ips inline fail-open
service-policy global_policy global

so that it will send traffic to the AIP for inspection.

I hope it helps.

PK

New Member

Re: not getting traffic from ASA to AIP-SSM-20.

HI PK,

thanks for your support,

i tried with this and it is working fine.

one more problem is i tried to block yahoo web chat with Signature ID 11212 but it was not blocking yahoo chat. please find the attached screensot also.

Thanks & Regards,

Yugandhar. M

New Member

Re: not getting traffic from ASA to AIP-SSM-20.

Do you have the IPS configured as inline on the ASA?   The configuration posted above does configure it as inline.   Try in the IPS configuration setting the High risk action to "Deny Attacker Inline", "Log Attacker Packets", and "Product Alerts".    The "Request Block Host"  Action only works with ARC.

If you have configure the IPS as an inline device, the actions used  on packet or connection should be inline actions.

New Member

Re: not getting traffic from ASA to AIP-SSM-20.

thanks for your solution

it is working but after some time the host which is trying to access yahoo web chat is going to Blocked host or denied attckers list. at that time the local host is not getting internet.

For example i was changed Yahoo HTTP proxy chat signature ID changed to High or medium. i tried to access yahoo web chat from 192.168.1.234 which is lcoak IP, then it is blocking yahoo chat as well as internet and the host IP is going to blocked hosts or denied attackers list.

as per your suggestion the HIGH risk action changed as per you and medicum i changed to log attcker IP.

please suggest me fine tuning the IPS

Regards,

Yugandhar. M

1210
Views
4
Helpful
5
Replies
CreatePlease login to create content