12-13-2005 01:41 PM - last edited on 03-25-2019 05:06 PM by ciscomoderator
Hi I have question about ASA firewall. I have ASA 5520 (ASA PIX v7.0(2)) with SSM-20 (IPS v5.0(2)) module installed.
The gigabitethernet0/0 is named as Outside, and gigabitethernet0/1 is named as Inside for ASA5520. Also in the ASA I enable inline ips with these commands:
Class-map ipsclass
Match any
Policy-map ipspolicy
Class ipsclass
Ips inline fail-open
Service-policy ipspolicy interface outside
*************************************
Asa5520# sh service-policy ips
Interface Outside:
Service-policy: ipspolicy
Class-map: ipsclass
IPS: mode inline, packet 88398248
In SSM-20 I ran setup, configured ip address, and allow host information.
ASDM into IPS and I assign GigabitEthernet0/1 (The only interface is available (shown) to be assign into vs0). Go to Interface in interface configuration, and enable interface Gi0/1 (only gi0/1 is available.). Go to Interface configuration and summary, it shows: Names - Giga0/1, Details Promiscuous, Assigned to Virtual Sensor vs0.
Now everything should be work and start logging the events into SSM-20. However, this is my problem; I only see the events with attacker come from inside of network but not outside interface. In other word, IPS only log the inside events but not outside interface. Is there anything that I mis-configured or not configured? I tried to add gi0/0 (Outside) into vs0 but failed because no interface available for gi0/0. The attached txt is show from ssm module. Many thanks for reading this conversation.
Best regards,
N
12-13-2005 07:20 PM
The documentation on this is quite poor unfortunately, something we're getting fixed. I'll provide a bit of detail and hopefully this'll help others in the same boat.
For a start, the Gig0/0 and Gig0/1 that you're seeing on the ASA and on the SSM are completely separate interfaces, don't get confused because they have the same name.
The Gig int's on the ASA are obviously the ones on the back of the module and used for inside/outside/dmz type interfaces for firewalling purposes.
The Gig0/0 int you're seeing on the SSM (when session'd or connected into the IPS) is the physical conector on th eback of the SSM module. It is used for command-control purposes only, not for sniffing or monitoring traffic. When you assign a management IP address to the SSM/IPS via the "setup" command it is this physical interface that you're referring to.
The Gig0/1 int you're seeing on the SSM ((when session'd or connected into the IPS) is a special internal backplane interface that is used to pass traffic between the ASA and the SSM/IPS. This is the only int that you can assign to the virtual-sensor vs0 because it is the only int on the SSM that is used for monitoring traffic.
If the ASA is set up in inline mode then all traffic is passed from the ASA to the Gig0/1 int of the SSM, inspected, then passed back out the Gig0/1 int back to the ASA for forwarding out one of its Gig interfaces.
Now going by your config you've correctly added Gig0/1 of the SSM into vs0, so that's about all you can do on the SSM side of things. I'm not sure what you mean by "only see events with attacker come from the inside". The ASA is definately passing traffic going by your "sho service-policy" output, so can you elaborate on what it is you're not seeing please?
Keep in mind that an IPS policy applied to an interface wil only inspect inbound traffic on that interface, so this may be what you're seeing. It is generally recomended to create a new class as you have doen and then just apply that class to the existing global service-policy, something like the following:
class-map ipsclass
match any
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
.....
inspect netbios
inspect tftp
class ipsclass <--- Add the class-map to the existing global_policy policy-map
ips inline fail-open
!
service-policy global_policy global
Try that and see if that resolves your problem.
12-14-2005 03:55 PM
Thanks for promptly reply. Almost all of events logs in the SSM are showing with my Inside IP address as source address.
Such as:
participants:
attacker:
addr: 10.2.11.28 locality=OUT
port: 1233
target:
addr: 216.155.193.155 locality=OUT
port: 25
Later, I will add the ipsclass into global_policy instead just outside interface and see if I getting more event logs. Also is there any IEV or similar for SSM-20 (IPSv5.0) available to use?
Best regards,
N
12-15-2005 03:15 PM
Thanks! It works; I am getting more outside logs now. Also is there any a client tool or IEV for IPS v.5 available? Or only able to view through ASDM IPS?
Thanks,
N
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide