https://community.cisco.com/t5/network-security/ips-asa-configuration/m-p/964209#M80007 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>When you apply service-policy for IPS inspection, either on a specific interface/globally, "ingress" traffic on the interface is sent to the module.</P><P></P><P>For example, if you apply the policy on the inside interface of ASA, traffic coming into ASA on the inside interface, destined for outside/dmz/etc, will be sent to IPS module, before applying nat rules.</P><P></P><P>If you apply the policy on the outside interface of ASA, traffic coming into ASA on the utside interface, destined for inside/dmz/etc, will be sent to IPS module, before applying un-nat/nat rules.</P><P></P><P>if you apply the policy globally, all traffic coming into ASA on the its interfaces, will be sent to IPS module, before applying nat rules.</P><P></P><P>Hope this clears things for you.</P><P></P><P>Regards,</P><P>Vibhor.</P></BODY></HTML> Fri, 16 May 2008 22:32:52 GMT vitripat 2008-05-16T22:32:52Z https://community.cisco.com/t5/network-security/ips-asa-configuration/m-p/964208#M80005 <P>Hi,</P><P></P><P>I have a question regarding operation steps on IPS on ASA - while configuring access list for interesting traffic, do I need to use really or NATed addresses. Precisely, NAT and than access list or access list and than NAT?</P><P></P> Sun, 10 Mar 2019 11:06:50 GMT https://community.cisco.com/t5/network-security/ips-asa-configuration/m-p/964208#M80005 binelipetrov 2019-03-10T11:06:50Z https://community.cisco.com/t5/network-security/ips-asa-configuration/m-p/964209#M80007 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>When you apply service-policy for IPS inspection, either on a specific interface/globally, "ingress" traffic on the interface is sent to the module.</P><P></P><P>For example, if you apply the policy on the inside interface of ASA, traffic coming into ASA on the inside interface, destined for outside/dmz/etc, will be sent to IPS module, before applying nat rules.</P><P></P><P>If you apply the policy on the outside interface of ASA, traffic coming into ASA on the utside interface, destined for inside/dmz/etc, will be sent to IPS module, before applying un-nat/nat rules.</P><P></P><P>if you apply the policy globally, all traffic coming into ASA on the its interfaces, will be sent to IPS module, before applying nat rules.</P><P></P><P>Hope this clears things for you.</P><P></P><P>Regards,</P><P>Vibhor.</P></BODY></HTML> Fri, 16 May 2008 22:32:52 GMT https://community.cisco.com/t5/network-security/ips-asa-configuration/m-p/964209#M80007 vitripat 2008-05-16T22:32:52Z https://community.cisco.com/t5/network-security/ips-asa-configuration/m-p/964210#M80008 <HTML><HEAD></HEAD><BODY><P>Keep the extended ACL close to the source and use the REAL IP address. NAT occurs within the ASA, so you are dealing with externals.</P><P></P><P>If you have 6 or 14 external, public IP addresses from your ISP, you can NAT ... otherwise you are stuck with PAT.</P><P></P><P>For inbound to outside: use the actual,REAL, public IP addresses you have been assigned by your ISP to permit certain traffic inbound. This could be access-list 100 or a named extended access list, such as "inbound-outside".</P><P></P><P>For inbound to inside interface: use the internal private IP address scheme [192.168.x.x, 172.16.x.x-172.31.255,10.0.0.0] with appropriate subnet mask to permit traffic from inside to outside for your users. Most folks open the "permit ip any any" here, but I prefer limiting to the specific internal, private address only. This might be access-list 102 or a named access-lsit such as "inbound_inside".</P><P></P><P>Traffic, which is not "permitted", will be implicitly denied.</P></BODY></HTML> Sun, 18 May 2008 19:31:59 GMT https://community.cisco.com/t5/network-security/ips-asa-configuration/m-p/964210#M80008 samuellthomasjr 2008-05-18T19:31:59Z https://community.cisco.com/t5/network-security/ips-asa-configuration/m-p/964211#M80009 <HTML><HEAD></HEAD><BODY><P>Great answer. Thanks</P></BODY></HTML> Mon, 19 May 2008 11:10:00 GMT https://community.cisco.com/t5/network-security/ips-asa-configuration/m-p/964211#M80009 binelipetrov 2008-05-19T11:10:00Z