Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
782
Views
0
Helpful
4
Replies

Sending traffic to the AIP-SSM and Correct ACL Syntax

Luis Heredia
Level 1
Level 1

‎01-05-2010 01:04 PM - edited ‎03-10-2019 04:51 AM

Good afternoon,

I've seen ACLs that state "permit" and I've seen ACLs that state "deny" when attempting to define "interesting" traffic or traffic that should be sent to the AIP-SSM when used in a ASA5510. My question is, If I have a deny statement, does the ASA not send the traffic to the AIP-SSM?

The opposite would almost sound obvious. Also, this ACL is used in conjunction with a match statement. If I were using the same ACL applied to an interface I would definitely be denying traffic into or out of that interface. So, I'm a bit confused with some examples I've seen on this forum where the "deny" statement is used to send traffic to the AIP-SSM. It doesn't look like it would; maybe I need to lab it...

Thanks,

Luis

Labels:
0 Helpful
4 Replies 4

Panos Kampanakis
Cisco Employee
Cisco Employee

‎01-05-2010 03:00 PM

Whatever is not matched in the ACL that is matched for the modules will not be sent to the modules.

For example the deny statements when hit will make this packet exempted from inspection is the SSM.

The ACL that is applied on the interface is different. That ACL is applied first and is allowing or debying traffic.

I would suggest you to avoid using the same ACL on an interface and as the matched ips ACL, but I believe it is more clear now.

I hope it helps.

PK

0 Helpful

Luis Heredia
Level 1
Level 1
In response to Panos Kampanakis

‎01-06-2010 05:26 AM

PKampana, I'm not sure I understand your comment. It seems that the "Permit" statement would identify the traffic and send it to the AIP-SSM. If we have a "Deny" statement then the traffic is not sent to the AIP-SSM. If this firewall has a "Public/Outside" interface facing the Internet then it would be mandatory to have a "permit IP any any" in order to examine all traffic coming from the Internet and sending it to the AIP-SSM. Do you think that is correct?

Thanks in advance,

Luis

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Luis Heredia

‎01-06-2010 06:17 AM

You don't need to open yourself to any packet that is traveling on the outside so that it can be sent through the module.

You want your interface ACLs to allow only things necessary and block the rest.

On the outside interface ACL allow only things you want to be able to reach your inside.

Then the matched ACL will say which of these will be sent through the module for inspection. If that match ACL has ip any any then all things that are allowed on the outside and allowed by the firewall policies will be inspected by the module.

Does it make sense now?

PK

0 Helpful

Luis Heredia
Level 1
Level 1
In response to Luis Heredia

‎01-06-2010 06:34 AM

Yes, makes sense. The outside interface ACL, if any, would only allow traffic to certain devices/services in the DMZ/PSS...of those connections that are permitted I may only need to inspect certain types. So, for the ACL that would be used to send traffic to the AIP-SSM I would have a "Permit"statement for the traffic I do want to inspect and the implicit deny all would keep the rest of the traffic away from the AIP-SSM..I see now the need to have separate ACLs for each purpose..interface and policy..

Have a good day!

Luis

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card