Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
634
Views
0
Helpful
2
Replies

ASA with AIP-SSM: Statefull Inspection and IPS Inspection simultaneosly

angeldustine
Level 1
Level 1

‎10-25-2006 04:44 AM - edited ‎03-10-2019 03:17 AM

Hello,

What is the best approach in the following case:

The ASA5510 with the AIP-SSM-10 is currently configured with a global policy to inspect traffic on all interfaces:

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

I want to forward all the traffic to the IPS module for inline inspection, but I can't do it for the default-inspection-traffic. I get this error:

ERROR: Only 'inspect' action is allowed for the class with 'match default-inspection-traffic'.

The best that I can do is this, and I don't like it:

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class class-default

ips inline fail-open

!

service-policy global_policy global

Is there a best practice for this scenario? How should I do this?

Thanks!

Labels:
0 Helpful
2 Replies 2

hogoqo
Level 1
Level 1

‎10-25-2006 09:34 AM

Try this:

access-list traffic_for_ips extended permit ip any any

class-map ips_class_map

match access-list traffic_for_ips

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect http

inspect netbios

inspect sunrpc

inspect tftp

inspect xdmcp

inspect esmtp

class ips_class_map

ips inline fail-open

0 Helpful

angeldustine
Level 1
Level 1
In response to hogoqo

‎10-30-2006 01:02 AM

Hogoqo,

Thanks for the reply. Does this config mean that "default-inspection-traffic" will not be sent to the IPS module?

What I initially wanted was to send ALL traffic to the IPS module, and also use statefull inspection for the default-inspection-traffic.

Is this a bad practice (to send all traffic to the IPS module)?

The ASA is configured with 3 interfaces (inside, outside, dmz), with an e-mail server in the DMZ. In the future, there will also be e-commerce servers in the DMZ.

Should I send to the IPS module only traffic that has the destination as one of the DMZ servers?

I am new to IPS, and kind of confused.

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card