This is about ASA/SSM packets processing. Does SSM receives post-nat or pre-nat packets? When (in the packets processing path) does ASA send packets to the SSM?
Documentation is very unclear here: "The security appliance diverts packets to the AIP SSM just before the packet exits the egress interface or before VPN encryption occurs, if configured) and after other firewall policies are applied."
It is important for the ASA to see either pre-NAT (private) IP addresses or post-NAT addresses for *both* the outgoing and incoming traffic. Otherwise it will not be able to build session table for STREAM signatures. It is important for us to know how does it work, because I personally prefer to see pre-NAT (private) addresses (of my internal hosts/servers) in alerts, not the single PAT address.
So, the step by step description of packets processing is needed for a) traffic going from the inside to the outside with NAT configured and b) for packets returning from the outside to the inside. And this should be documented for both applying the policy-map globally and to the interface.
Can anybody, perhaps cisco, shed some light on this?
ASA diverts packets to ASA-SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to ASA-SSM.
You can configure ASA-SSM to inspect traffic in inline or promiscuous mode and in fail-open or fail-over mode.
On ASA, to identify traffic to be diverted to and inspected by ASA-SSM:
Use the class-map command to define the IPS traffic class.
Use the policy-map command to create an IPS policy map by associating the traffic class with one or more actions.Use the service-policy command to create an IPS security policy by associating the policy map with one or more interfaces.
You can use the ASA CLI or ASDM to configure IPS traffic inspection.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :