Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1000
Views
0
Helpful
2
Replies

ACL on ASA

anitachoi3
Level 1
Level 1

‎10-21-2011 08:20 AM - edited ‎03-10-2019 05:31 AM

Hi Expert,

There are two configurations to be implemented on ASA with IPS module. For config B, the traffic should go through IPS, but config A does not. Is it correct?

=== Configuration A ====

object network host-192.168.0.94

host 192.168.0.94

!

object network nw-192.168.16.0

subnet 192.168.16.0 255.255.252.0

!

access-list outside_ACL_in extended permit ip object host-192.168.0.94 object nw-192.168.16.0

!

===== Configuration B =======

!

object network host-192.168.0.94

host 192.168.0.94

!

object network nw-192.168.16.0

subnet 192.168.16.0 255.255.252.0

!

object-group network DM_INLINE_host_192.168.0.94

network-object object host-192.168.0.94

!

object-group network DM_INLINE_nw_192.168.16.0

network-object object nw-192.168.16.0

!

access-list outside_ACL_in extended permit ip object-group DM_INLINE_host_192.168.0.94 object-group DM_INLINE_nw_192.168.16.0

!

rdgs

Anita

Labels:
0 Helpful
2 Replies 2

marcabal
Cisco Employee
Cisco Employee

‎10-21-2011 11:17 AM

Neither of these configurations on their own will send packets to the IPS module for analysis.

The configuration must include a policy where a class of traffic is directed for to the IPS module for monitoring using either the "ips inline ..."  or "ips promiscous ..."  commands.

Here is a config example written for an earlier ASA version, that will demonstrate how to create the policy.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

0 Helpful

anitachoi3
Level 1
Level 1
In response to marcabal

‎10-22-2011 01:43 AM

Hi Marcabal,

Below please find the draft config of ASA to be implemented on 5540. According to the tech notes, all traffic should be inspected by IPS. Please comment on the config and optimal it.

----- config of ASA 5540 ----

!

class-map global-class

match any

!

policy-map global_policy

class global-class

  ips promiscuous fail-open

!

service-policy global_policy global

!

access-list untrust_ACL_in extend permit tcp any host 192.168.1.8 443

access-list untrust_ACL_in extend permit tcp any host 192.168.1.8 80

!

access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any https

access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any smtp

access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any pop3

access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any http

!

access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 any http

access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 any https

access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 http any

access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 https any

access-list DMZ1_ACL_in extend permit tcp host 192.168.1.8 https any

access-list DMZ1_ACL_in extend permit tcp host 192.168.1.8 http any

!

access-list DMZ2_ACL_in extend permit ip 192.168.192.0 0.0.32.255 192.168.128.0 0.0.0.255

!

rdgs

Anita

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card