Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Sending traffic to the AIP-SSM and Correct ACL Syntax

Good afternoon,

I've seen ACLs that state "permit" and I've seen ACLs that state "deny" when attempting to define "interesting" traffic or traffic that should be sent to the AIP-SSM when used in a ASA5510. My question is, If I have a deny statement, does the ASA not send the traffic to the AIP-SSM?

The opposite would almost sound obvious. Also, this ACL is used in conjunction with a match statement. If I were using the same ACL applied to an interface I would definitely be denying traffic into or out of that interface. So, I'm a bit confused with some examples I've seen on this forum where the "deny" statement is used to send traffic to the AIP-SSM. It doesn't look like it would; maybe I need to lab it...

Thanks,

Luis

4 REPLIES
Cisco Employee

Re: Sending traffic to the AIP-SSM and Correct ACL Syntax

Whatever is not matched in the ACL that is matched for the modules will not be sent to the modules.

For example the deny statements when hit will make this packet exempted from inspection is the SSM.

The ACL that is applied on the interface is different. That ACL is applied first and is allowing or debying traffic.

I would suggest you to avoid using the same ACL on an interface and as the matched ips ACL, but I believe it is more clear now.

I hope it helps.

PK

Community Member

Re: Sending traffic to the AIP-SSM and Correct ACL Syntax

PKampana, I'm not sure I understand your comment. It seems that the "Permit" statement would identify the traffic and send it to the AIP-SSM. If we have a "Deny" statement then the traffic is not sent to the AIP-SSM. If this firewall has a "Public/Outside" interface facing the Internet then it would be mandatory to have a "permit IP any any" in order to examine all traffic coming from the Internet and sending it to the AIP-SSM. Do you think that is correct?

Thanks in advance,

Luis

Cisco Employee

Re: Sending traffic to the AIP-SSM and Correct ACL Syntax

You don't need to open yourself to any packet that is traveling on the outside so that it can be sent through the module.

You want your interface ACLs to allow only things necessary and block the rest.

On the outside interface ACL allow only things you want to be able to reach your inside.

Then the matched ACL will say which of these will be sent through the module for inspection. If that match ACL has ip any any then all things that are allowed on the outside and allowed by the firewall policies will be inspected by the module.

Does it make sense now?

PK

Community Member

Re: Sending traffic to the AIP-SSM and Correct ACL Syntax

Yes, makes sense. The outside interface ACL, if any, would only allow traffic to certain devices/services in the DMZ/PSS...of those connections that are permitted I may only need to inspect certain types. So, for the ACL that would be used to send traffic to the AIP-SSM I would have a "Permit"statement for the traffic I do want to inspect and the implicit deny all would keep the rest of the traffic away from the AIP-SSM..I see now the need to have separate ACLs for each purpose..interface and policy..

Have a good day!

Luis

407
Views
0
Helpful
4
Replies
CreatePlease to create content