Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
ovt Bronze
Bronze

ASA -> SSM order of operation

This is about ASA/SSM packets processing. Does SSM receives post-nat or pre-nat packets? When (in the packets processing path) does ASA send packets to the SSM?

Documentation is very unclear here: "The security appliance diverts packets to the AIP SSM just before the packet exits the egress interface or before VPN encryption occurs, if configured) and after other firewall policies are applied."

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/ids.htm#wp1050693

On the other hand the same documentation says that IPS is the "ingress feature if the policy-map is applied globally and bidirectional if the policy-map is applied to an interface".

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/mpc.htm#wp1083060

It is important for the ASA to see either pre-NAT (private) IP addresses or post-NAT addresses for *both* the outgoing and incoming traffic. Otherwise it will not be able to build session table for STREAM signatures. It is important for us to know how does it work, because I personally prefer to see pre-NAT (private) addresses (of my internal hosts/servers) in alerts, not the single PAT address.

So, the step by step description of packets processing is needed for a) traffic going from the inside to the outside with NAT configured and b) for packets returning from the outside to the inside. And this should be documented for both applying the policy-map globally and to the interface.

Can anybody, perhaps cisco, shed some light on this?

Thx.

3 REPLIES
Silver

Re: ASA -> SSM order of operation

ASA diverts packets to ASA-SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to ASA-SSM.

You can configure ASA-SSM to inspect traffic in inline or promiscuous mode and in fail-open or fail-over mode.

On ASA, to identify traffic to be diverted to and inspected by ASA-SSM:

Use the class-map command to define the IPS traffic class.

Use the policy-map command to create an IPS policy map by associating the traffic class with one or more actions.Use the service-policy command to create an IPS security policy by associating the policy map with one or more interfaces.

You can use the ASA CLI or ASDM to configure IPS traffic inspection.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804596f0.html

ovt Bronze
Bronze

Re: ASA -> SSM order of operation

Wow! Thank you so much for cutting and pasting excerpts from my previous post and from the cisco documentation mentioned in my post! This really helps a lot!

I guess nobody is using ASA with SSM, even cisco, so nobody can answer even the simplest question about it.

New Member

Re: ASA -> SSM order of operation

Don't feel lonesome :(

If you setup the policy global the IDS results of "attacker" are ambiguous at best.

If you try to influence direction with an ACL it gets even stranger.

Setting an IDS policy in the ASDM is less than intuitive. So much less that I'm lost as well.

181
Views
1
Helpful
3
Replies
CreatePlease to create content