https://community.cisco.com/t5/network-security/acl-on-asa/m-p/1776616#M55996 <HTML><HEAD></HEAD><BODY><P>Hi Marcabal,</P><P></P><P>Below please find the draft config of ASA to be implemented on 5540. According to the tech notes, all traffic should be inspected by IPS. Please comment on the config and optimal it.</P><P></P><P>----- config of ASA 5540 ----</P><P>!</P><P>class-map global-class</P><P> match any</P><P>!</P><P>policy-map global_policy</P><P> class global-class</P><P>&nbsp; ips promiscuous fail-open</P><P>!</P><P>service-policy global_policy global</P><P>!</P><P>access-list untrust_ACL_in extend permit tcp any host 192.168.1.8 443</P><P>access-list untrust_ACL_in extend permit tcp any host 192.168.1.8 80</P><P>!</P><P>access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any https</P><P>access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any smtp</P><P>access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any pop3</P><P>access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any http</P><P>!</P><P>access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 any http</P><P>access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 any https</P><P>access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 http any</P><P>access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 https any</P><P>access-list DMZ1_ACL_in extend permit tcp host 192.168.1.8 https any</P><P>access-list DMZ1_ACL_in extend permit tcp host 192.168.1.8 http any</P><P>!</P><P>access-list DMZ2_ACL_in extend permit ip 192.168.192.0 0.0.32.255 192.168.128.0 0.0.0.255</P><P>! </P><P>rdgs</P><P></P><P>Anita </P></BODY></HTML> Sat, 22 Oct 2011 08:43:28 GMT anitachoi3 2011-10-22T08:43:28Z https://community.cisco.com/t5/network-security/acl-on-asa/m-p/1776614#M55994 <P>Hi Expert,</P><P></P><P>There are two configurations to be implemented on ASA with IPS module. For config B, the traffic should go through IPS, but config A does not. Is it correct? </P><P></P><P>=== Configuration A ====</P><P>object network host-192.168.0.94 </P><P> host 192.168.0.94</P><P>!</P><P>object network nw-192.168.16.0 </P><P> subnet 192.168.16.0 255.255.252.0</P><P>!</P><P>access-list outside_ACL_in extended permit ip object host-192.168.0.94 object nw-192.168.16.0</P><P>!</P><P>===== Configuration B =======</P><P>!</P><P>object network host-192.168.0.94 </P><P> host 192.168.0.94</P><P>!</P><P>object network nw-192.168.16.0 </P><P> subnet 192.168.16.0 255.255.252.0</P><P>!</P><P>object-group network DM_INLINE_host_192.168.0.94</P><P>network-object object host-192.168.0.94 </P><P>!</P><P>object-group network DM_INLINE_nw_192.168.16.0</P><P>network-object object nw-192.168.16.0 </P><P>!</P><P>access-list outside_ACL_in extended permit ip object-group DM_INLINE_host_192.168.0.94 object-group DM_INLINE_nw_192.168.16.0</P><P>!</P><P></P><P>rdgs</P><P></P><P>Anita</P> Sun, 10 Mar 2019 12:31:29 GMT https://community.cisco.com/t5/network-security/acl-on-asa/m-p/1776614#M55994 anitachoi3 2019-03-10T12:31:29Z https://community.cisco.com/t5/network-security/acl-on-asa/m-p/1776615#M55995 <HTML><HEAD></HEAD><BODY><P>Neither of these configurations on their own will send packets to the IPS module for analysis.</P><P></P><P>The configuration must include a policy where a class of traffic is directed for to the IPS module for monitoring using either the "ips inline ..."&nbsp; or "ips promiscous ..."&nbsp; commands.</P><P></P><P>Here is a config example written for an earlier ASA version, that will demonstrate how to create the policy.</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml</A></P></BODY></HTML> Fri, 21 Oct 2011 18:17:06 GMT https://community.cisco.com/t5/network-security/acl-on-asa/m-p/1776615#M55995 marcabal 2011-10-21T18:17:06Z https://community.cisco.com/t5/network-security/acl-on-asa/m-p/1776616#M55996 <HTML><HEAD></HEAD><BODY><P>Hi Marcabal,</P><P></P><P>Below please find the draft config of ASA to be implemented on 5540. According to the tech notes, all traffic should be inspected by IPS. Please comment on the config and optimal it.</P><P></P><P>----- config of ASA 5540 ----</P><P>!</P><P>class-map global-class</P><P> match any</P><P>!</P><P>policy-map global_policy</P><P> class global-class</P><P>&nbsp; ips promiscuous fail-open</P><P>!</P><P>service-policy global_policy global</P><P>!</P><P>access-list untrust_ACL_in extend permit tcp any host 192.168.1.8 443</P><P>access-list untrust_ACL_in extend permit tcp any host 192.168.1.8 80</P><P>!</P><P>access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any https</P><P>access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any smtp</P><P>access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any pop3</P><P>access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any http</P><P>!</P><P>access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 any http</P><P>access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 any https</P><P>access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 http any</P><P>access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 https any</P><P>access-list DMZ1_ACL_in extend permit tcp host 192.168.1.8 https any</P><P>access-list DMZ1_ACL_in extend permit tcp host 192.168.1.8 http any</P><P>!</P><P>access-list DMZ2_ACL_in extend permit ip 192.168.192.0 0.0.32.255 192.168.128.0 0.0.0.255</P><P>! </P><P>rdgs</P><P></P><P>Anita </P></BODY></HTML> Sat, 22 Oct 2011 08:43:28 GMT https://community.cisco.com/t5/network-security/acl-on-asa/m-p/1776616#M55996 anitachoi3 2011-10-22T08:43:28Z