https://community.cisco.com/t5/network-security/ips-module-integration-with-asa-and-basic-configuration-steps/m-p/1982333#M54792 <HTML><HEAD></HEAD><BODY><P>Thanks Zubair , </P><P></P><P>what is the function of&nbsp; <EM style="text-decoration: underline; "><STRONG>ips promiscuous fail-close (or fail-open)&nbsp;&nbsp;&nbsp;&nbsp; </STRONG></EM>command , </P><P></P><P>what could be the effect on network if IPS module will be down / stop working </P></BODY></HTML> Tue, 14 Aug 2012 01:58:26 GMT aslam.bajwa 2012-08-14T01:58:26Z https://community.cisco.com/t5/network-security/ips-module-integration-with-asa-and-basic-configuration-steps/m-p/1982331#M54780 <P>Hi All , </P><P></P><P>i am new in security , i need to integrate IPS module with ASA 5500 and basic configuration steps . so that i can get inside traffic through IPS module to LAN . </P><P></P><P>please advise some esay steps to perm this activity </P><P></P><P>regards , </P> Sun, 10 Mar 2019 12:45:04 GMT https://community.cisco.com/t5/network-security/ips-module-integration-with-asa-and-basic-configuration-steps/m-p/1982331#M54780 aslam.bajwa 2019-03-10T12:45:04Z https://community.cisco.com/t5/network-security/ips-module-integration-with-asa-and-basic-configuration-steps/m-p/1982332#M54785 <HTML><HEAD></HEAD><BODY><P>Hi Aslam</P><P></P><P>You will use class maps to divert the traffic to the module. Here are some basic steps.</P><P></P><P>!Identify the traffic that needs to be diverted to the IPS SSP.</P><P>&nbsp;&nbsp; access-list IPS permit ip any any</P><P>!</P><P>!Classify the traffic using a class map.</P><P>!</P><P>&nbsp; class-map IPS</P><P>&nbsp; match access-list IPS</P><P>!</P><P>!Specify the action to be taken on the traffic using a policy map. !Since there is already a policy map attached globally in the FW, !the class-map defined above will be added here !only. </P><P>!</P><P>policy-map global_policy</P><P> class IPS</P><P> ips promiscuous fail-close (or fail-open)</P><P>!</P><P></P><P></P><P>Once that is done, the rest of the configuration needs to be done on the IPS using CLI or preferrably the IDM.</P><P></P><P>HTH. Please rate if useful.</P><P>Zubair</P></BODY></HTML> Tue, 14 Aug 2012 00:13:19 GMT https://community.cisco.com/t5/network-security/ips-module-integration-with-asa-and-basic-configuration-steps/m-p/1982332#M54785 zujalal 2012-08-14T00:13:19Z https://community.cisco.com/t5/network-security/ips-module-integration-with-asa-and-basic-configuration-steps/m-p/1982333#M54792 <HTML><HEAD></HEAD><BODY><P>Thanks Zubair , </P><P></P><P>what is the function of&nbsp; <EM style="text-decoration: underline; "><STRONG>ips promiscuous fail-close (or fail-open)&nbsp;&nbsp;&nbsp;&nbsp; </STRONG></EM>command , </P><P></P><P>what could be the effect on network if IPS module will be down / stop working </P></BODY></HTML> Tue, 14 Aug 2012 01:58:26 GMT https://community.cisco.com/t5/network-security/ips-module-integration-with-asa-and-basic-configuration-steps/m-p/1982333#M54792 aslam.bajwa 2012-08-14T01:58:26Z https://community.cisco.com/t5/network-security/ips-module-integration-with-asa-and-basic-configuration-steps/m-p/1982334#M54795 <HTML><HEAD></HEAD><BODY><P>For failure scenarios, have a look at this. This explains fail open and fail close. Also note that the above command is if you want to setup the IPS in promiscous mode. If you want to put it inline to traffic you need to enter "ips inline fail-close (or fail-open).</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/cli/cli_ssp.html#wp1086445">http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/cli/cli_ssp.html#wp1086445</A></P><P></P><P>Please rate if useful.</P><P></P><P>Zubair</P></BODY></HTML> Tue, 14 Aug 2012 02:10:13 GMT https://community.cisco.com/t5/network-security/ips-module-integration-with-asa-and-basic-configuration-steps/m-p/1982334#M54795 zujalal 2012-08-14T02:10:13Z https://community.cisco.com/t5/network-security/ips-module-integration-with-asa-and-basic-configuration-steps/m-p/1982335#M54800 <HTML><HEAD></HEAD><BODY><P>thanks zubair.</P></BODY></HTML> Tue, 14 Aug 2012 11:33:24 GMT https://community.cisco.com/t5/network-security/ips-module-integration-with-asa-and-basic-configuration-steps/m-p/1982335#M54800 aslam.bajwa 2012-08-14T11:33:24Z