10-25-2006 04:44 AM - edited 03-10-2019 03:17 AM
Hello,
What is the best approach in the following case:
The ASA5510 with the AIP-SSM-10 is currently configured with a global policy to inspect traffic on all interfaces:
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
I want to forward all the traffic to the IPS module for inline inspection, but I can't do it for the default-inspection-traffic. I get this error:
ERROR: Only 'inspect' action is allowed for the class with 'match default-inspection-traffic'.
The best that I can do is this, and I don't like it:
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class class-default
ips inline fail-open
!
service-policy global_policy global
Is there a best practice for this scenario? How should I do this?
Thanks!
10-25-2006 09:34 AM
Try this:
access-list traffic_for_ips extended permit ip any any
class-map ips_class_map
match access-list traffic_for_ips
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect http
inspect netbios
inspect sunrpc
inspect tftp
inspect xdmcp
inspect esmtp
class ips_class_map
ips inline fail-open
10-30-2006 01:02 AM
Hogoqo,
Thanks for the reply. Does this config mean that "default-inspection-traffic" will not be sent to the IPS module?
What I initially wanted was to send ALL traffic to the IPS module, and also use statefull inspection for the default-inspection-traffic.
Is this a bad practice (to send all traffic to the IPS module)?
The ASA is configured with 3 interfaces (inside, outside, dmz), with an e-mail server in the DMZ. In the future, there will also be e-commerce servers in the DMZ.
Should I send to the IPS module only traffic that has the destination as one of the DMZ servers?
I am new to IPS, and kind of confused.
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: