I have a couple of questions regarding the ASA that deal with the SSM module.
I have read the document "Configuring ASA-SSM" and am confused by the command logic. I realize that you need to specify a service-policy globally that defines the traffic being sent to the SSM module. My concern is that the configuration document lists as one of it's steps to define an ACL for the IPS traffic and then apply it to an interface before configuring the class map, policy map, and service-policy. Why would this ACL need to be applied to an interface when it is being used for defining IPS traffic? Shouldn't the ASA send whatever traffic is defined globally in the service-policy to the SSM without attaching the ACL to an interface?
Also, on the ASA factory default configuration there is a service-policy defined as:
inspect dns maximum-length 512
inspect h323 h225
inspect h323 ras
service-policy global_policy global
But, if I define a global service-policy for the SSM I would lose this default service-policy as only one global service policy is allowed. Is the default service-policy providing the fixup protocol services as in the PIX that I am used to seeing? If so do I lose this functionality by applying a global service-policy for IPS/
Sorry for the length of the post and thanks for your help in advance.
The configuration in the IPS User's Guide is just one method for settings up the ASA to send packets to the SSM.
It is an extremely basic configuration on the ASA where all the ASA is doing is copying packets to the SSM and the ASA is not doing any of it's firewall functionality.
This configuration is only practical if the ASA was purchased and used only for housing the SSM and sending it traffic ( a rare deployment in the field ).
If your ASA is already configured for firewall functionality then the only additional command(s) that need to be added to your config are:
ips inline|promiscuous fail-open|fail-close
Take your existing policy-map and for every class in that policy you will need to decide if the traffic should be monitored promiscuously, inline, or not monitored by the SSM.
In your example, if you wanted to monitor all of the traffic inline on the SSM and want to continue passing traffic if the SSM fails. Then simply add the line "ips inline fail-open" within the existing "class inspection_default".
NOTE: If you change the policy you need to understand that the new policy will only affect new connections and not existing connections.
The only reason you would have to create additional acls and class maps using the acls would be if you did not want all of the traffic monitored inline by the SSM.
If you want different traffic monitored promiscuous and other inline (or not monitored), then you need to include additional classes in your policy-map so that a different ips configuration line can be added for each class.
Thanks for the reply. I thought things were a bit odd. I'm not sure why they would put out a document for such a situation instead of one that would be helpful to most people, but your answer is very clear. Thanks again.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :