topic AIP 10 module in ASA in Network Security

AIP 10 module in ASA

Andy White — Sun, 10 Mar 2019 12:49:43 GMT

Hello,

I've setup the AIP module in my ASA 5520 and all looks good. I now need to do the following, does this config look ok?

I want to inspect traffic on certain interfaces and exclude certain traffic. For example I don'e want IPS to inspect our replication traffic that passes from the inside to our DMZ6 interface.

Anyway should I enable the gloabal policy or create individual policies per interface?

Global

policy-map global_policy

class aw-ips

match any

ips inline fail-open sensor vs0

Then I need to do the outside, DMZ6 and DMZ4 interfaces?

DMZ6

access-list traffic_for_ips deny ip 192.168.28.0 255.255.255.0 192.168.38.0 255.255.255.0

access-list traffic_for_ips permit ip any any

class-map DMZ6-ips-policy

match access-list traffic_for_ips

policy-map interface_policy

class DMZ6-ips-policy

ips inline fail-open sensor vs0

service-policy interface_policy interface DMZ6

Outside

class-map Outside-ips-policy

match any

policy-map interface_policy

class Outside-ips-policy

ips inline fail-open sensor vs0

service-policy interface_policy interface Outside

DMZ4

class-map DMZ4-ips-policy

match any

policy-map interface_policy

class DMZ4-ips-policy

ips inline fail-open sensor vs0

service-policy interface_policy interface DMZ4

Do you think this will work? I hope the Outside, DMZ6 and DMZ4 will be inspected and traffic from 192.168.28.0/24 to 192.168.38.0/24 wont be inspected.

Thanks

AIP 10 module in ASA

lcambron — Wed, 21 Nov 2012 02:25:58 GMT

Andy,

That should work, but you can also confiure just one class and apply it globaly:

access-list traffic_for_ips deny ip 192.168.28.0 255.255.255.0 192.168.38.0 255.255.255.0

access-list traffic_for_ips permit ip any any

class-map IPS

match access-list traffic_for_ips

policy-map global_policy

class IPS

ips inline fail-open sensor vs0

Regards,

Felipe.

AIP 10 module in ASA

Andy White — Wed, 21 Nov 2012 07:40:14 GMT

Hello,

Forgive me if I'm wrong, but I want to just exclude that traffic from the inside to the Dmz6 interfaces, if I use a global class wouldn't this be applied to all interfaces?

I also want to be able disable IPS on certain interfaces quickly should the load reach 100%.

Thanks

AIP 10 module in ASA

lcambron — Wed, 21 Nov 2012 16:10:18 GMT

Andy,

That's the purpose of the ACL, to exclude traffic from inside to DMZ and match the rest:

deny ip 192.168.28.0 255.255.255.0 192.168.38.0 255.255.255.0

So, instead of excluding the interface, just exclude the traffic, it will be the same but easier to manage.

Regards,

Felipe