We have an ASA5585-X with SSP-10 module installed that we are testing. The firewall's outside interface is connected to the internet and has a public address. We have CSM 4.2 installed and are sending events from the IPS to it.
After we configured the IPS module we expected to get lots of alerts for attacks originating from the internet, but we hardly see anything.
The ACL that we have on the outside interface doesn't actually allow much in, just some SMTP, HTTP, DNS, SSH.
My question is this - should the IPS see all traffic/attacks coming from the internet, or JUST packets that have passed the outside ACL?
I suspect this is why we are seeing very few alerts - can anyone confirm this?
The traffic does not automatically get copied to the IPS, you need to create an access-list and class-map to apply (like QoS)
access-list IPS extended permit ip any any
match access-list IPS
ips inline fail-open
Internally the traffic is passed from the firewall to the IPS module through an internal interface (port channel on the 5585's) at the last step just prior to the traffic exiting the firewall. This is why the IPS modules do not have a "normalizer" engine, this is already performed by the ASA prior to inspection, the ASA normalizer is essentially the same as what is found on IPS.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...