Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Traffic do not divert from ASA to IPS module

Hi;

I am using ASA 5512x with IPS module, my IPS is using the default ip address 192.168.1.1 and 192.168.1.2, and my inside network is 172.16.0.0.  Below 192.168.0.x network is my site-to-site vpn network at remote site.

I have added the class map and access list like below

access-list aclist_ips extended deny ip host 192.168.1.2 any
access-list aclist_ips extended deny ip 192.168.0.0 255.255.0.0 any

access-list aclist_ips extended permit ip any any

class-map ips_class_1
match access-list aclist_ips

policy-map ips_policy
class ips_class_1
  inspect dns preset_dns_map
  inspect http
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp

ips inline fail-open

service-policy ips_policy global

However; once the service-policy ips_policy global applied, all my outbound traffic dropped, no internet and no site to site vpn.

Also, no traffic divert from ASA to IPS module.

In the meanwhile, my 192.168.1.x IPS network cannot go through to internet for signature update.

Should I use the same LAN IPs for the IPS network?  I am using layer 3 network, a core network layer 3 switch is used.

How can I fix the problem?

  • Intrusion Prevention Systems/IDS
46
Views
0
Helpful
0
Replies
This widget could not be displayed.