Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Traffic from ASA to IPS

Hello Everyone,

I have configured an ASA5510 to send all traffic to IPS like bellow as cisco doc described.

access-list IPS extended permit ip any any

class-map my-ips-class

match access-list IPS

policy-map my-ips-policy

class my-ips-class

ips inline fail-close

service-policy my-ips-policy global

And all incommeing traffic from outside should go to IPS. How to make sure that traffic is going to IPS.

If i give command like this

sh service-policy global

its showing below:

Global policy:

Service-policy: my-ips-policy

Class-map: my-ips-class

IPS: card status Up, mode inline fail-close

packet input 12119, packet output 12119, drop 0, reset-drop 0

Then I go to ips and enable a signature definition number 2004 to denay ICMP echo request. In actions i choosed deny packet inline. but still i can ping from outside to inside.

Please advise sir what to do.

Regards,

Tuhin.

2 REPLIES
Community Member

Re: Traffic from ASA to IPS

Did you check in the IDM if the signature 2004 is firing? If it is firing, make sure the "Deny packet" option is set correctly.

Trust your virtual sensor vs0 config is completed and the interface Gig0/1 is added to the vs0.

You could also use the "packet dispaly interface Gig 0/1 expression (tcpdump expressions)" on the IPS CLI to see if the sensor is indeed seeing the Echo traffic.

Community Member

Re: Traffic from ASA to IPS

Thank you very much sir. Its now working. I didn't add interface Gig0/1 to vs0.

Thanks you.

Regards,

Tuhin

Dhaka.

148
Views
5
Helpful
2
Replies
CreatePlease to create content