topic Re: Multiple Class maps for AIP in Network Security

Multiple Class maps for AIP

Martin Smid — Sun, 10 Mar 2019 12:20:21 GMT

Hello folks,

Similar question was asked on the forum here, but I just wanted to make sure there is no exception or this specific configuration. Basically we have AIP modules in our ASAs and we want to pass the traffic to them for investigation. We already have class-maps for inspection (the standard ASA inspection not IPS). And if I understand it correctly then the traffic will get matched only by a single class-map and handled accordingly.

Here is the config for better understanding

Current Config

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

Additional Config

access-list USERS-IPS-ACL extended permit ip host x.x.x.x any

access-list USERS-IPS-ACL extended permit ip any host x.x.x.x

class-map USERS-IPS-CLASS

match access-list USERS-IPS-ACL

policy-map IPS-POLICY

class USERS-IPS-CLASS

ips inline fail-close sensor USERS-SENSOR

So for example let's say a user establishes FTP connection to a server. Based on the global inspection policy (nothing to do with IPS), the traffic will get inspected and not forwarded to AIP module. Can someone confirm this or shed some light on it please?

Thank you very much,

Martin

Re: Multiple Class maps for AIP

padatta — Wed, 27 Apr 2011 09:56:28 GMT

Hi Martin,

Since the actions are different on the two class maps, it will be sent to IPS.

If the action on second class map had been 'inspect ftp', then only the first 'inspect ftp' would have had any effect. But here, the actions are different. One is inspect and other is sending traffic to AIP module.

HTH

Paps

Re: Multiple Class maps for AIP

Martin Smid — Wed, 27 Apr 2011 10:32:39 GMT

So if I understand your post correctly, the traffic will fall into the first class map and then inspected as dictated by the policy AND it will also be matched by the second class map and sent to the AIP module as set by the second policy (basically the traffic will be treated by two class maps and policies). The reason I am asking is that if you think about QoS, the traffic is classified by a single class map.

Thank you,

Martin

Re: Multiple Class maps for AIP

padatta — Wed, 27 Apr 2011 11:07:03 GMT

Yes, if two class maps in a policy-map match the same traffic, both will take effect only if actions are different. E.g. One action is 'inspect' and other is 'police'.

Thank you,

Paps

Re: Multiple Class maps for AIP

Martin Smid — Wed, 27 Apr 2011 11:44:25 GMT

And I assume the same logic applies even though the class maps are in two different policy maps (see example in the first post).

Sorry for being so annoying

Re: Multiple Class maps for AIP

padatta — Wed, 27 Apr 2011 11:52:49 GMT

Well, this concept could be very confusing at times.

Yes, same goes for class maps matching same traffic in more than one policy-map/service-policy.

Paps

Re: Multiple Class maps for AIP

Christopher Dreier — Wed, 27 Apr 2011 16:46:00 GMT

Hello Martin,

If you would like to verify the MPF that will be applied to any flow by your configuration, you can execute the show service-policy flow command from the ASA CLI.

For your example, assuming your IPS-POLICY policy-map is assigned to the inside interface, the output of a show service-policy flow will look similar to the output below.

Command:

show service-policy flow host [eq ] host [eq ]

ASA# show service-policy flow tcp host 10.1.1.5 eq 2500 host 4.2.2.2 eq 80
Global policy:
   Service-policy: global_policy
     Class-map: inspection_default
       Match: default-inspection-traffic
       Action:
         Input flow: inspect http
     Class-map: class-default
       Match: any
       Action:
         Output flow:
Interface inside:
   Service-policy: IPS-POLICY
     Class-map: USERS-IPS-CLASS
       Match: access-list USERS-IPS-ACL
         Access rule: permit ip any any
       Action:
         Input flow: ips inline fail-close
     Class-map: class-default
       Match: any
       Action:

I hope it's helpful - We recorded a recent podcast episode on our favorite ASA and IPS commands and show service-policy flow was one of them:

https://supportforums.cisco.com/docs/DOC-16112

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/docs/DOC-12758

Re: Multiple Class maps for AIP

Martin Smid — Wed, 27 Apr 2011 16:58:09 GMT

Blayne,

I got to hand it to you. Great information right there. Thank you very much.

Thank you guys both for your help!