Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

What traffic gets copied to IPS Module??

We have an ASA5585-X with SSP-10 module installed that we are testing. The firewall's outside interface is connected to the internet and has a public address. We have CSM 4.2 installed and are sending events from the IPS to it.

After we configured the IPS module we expected to get lots of alerts for attacks originating from the internet, but we hardly see anything.

The ACL that we have on the outside interface doesn't actually allow much in, just some SMTP, HTTP, DNS, SSH.

My question is this - should the IPS see all traffic/attacks coming from the internet, or JUST packets that have passed the outside ACL?

I suspect this is why we are seeing very few alerts - can anyone confirm this?

Thanks,

//\/\\\

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

What traffic gets copied to IPS Module??

If the traffic has been dropped by ASA, then IPS won't have any visibility to it.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
5 REPLIES
New Member

What traffic gets copied to IPS Module??

The traffic does not automatically get copied to the IPS, you need to create an access-list and class-map to apply (like QoS)

access-list IPS extended permit ip any any

!

class-map global-ips

     match access-list IPS

!

policy-map global_policy

   class global-ips

     ips inline fail-open

!

Internally the traffic is passed from the firewall to the IPS module through an internal interface (port channel on the 5585's) at the last step just prior to the traffic exiting the firewall. This is why the IPS modules do not have a "normalizer" engine, this is already performed by the ASA prior to inspection, the ASA normalizer is essentially the same as what is found on IPS.

New Member

What traffic gets copied to IPS Module??

Hi,

I'm aware of that - we have the policy map configured.

We're getting very few alerts from IPS - I was expecting more, as the outside interface has a public IP address and there are scans, probes etc happening all the time.

Let me put my question a different way - does the IPS module ever see traffic that is DROPPED by the outside interface ACL??

Bronze

What traffic gets copied to IPS Module??

If the traffic has been dropped by ASA, then IPS won't have any visibility to it.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
New Member

What traffic gets copied to IPS Module??

Thanks for the replies.

So if there was a DOS attack occurring on the outside interface (possibly saturating our internet link) and the DOS traffic was being dropped by the ACL, IPS would have no visibility of that??

Bronze

What traffic gets copied to IPS Module??

Correct.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
620
Views
0
Helpful
5
Replies