10-21-2011 08:20 AM - edited 03-10-2019 05:31 AM
Hi Expert,
There are two configurations to be implemented on ASA with IPS module. For config B, the traffic should go through IPS, but config A does not. Is it correct?
=== Configuration A ====
object network host-192.168.0.94
host 192.168.0.94
!
object network nw-192.168.16.0
subnet 192.168.16.0 255.255.252.0
!
access-list outside_ACL_in extended permit ip object host-192.168.0.94 object nw-192.168.16.0
!
===== Configuration B =======
!
object network host-192.168.0.94
host 192.168.0.94
!
object network nw-192.168.16.0
subnet 192.168.16.0 255.255.252.0
!
object-group network DM_INLINE_host_192.168.0.94
network-object object host-192.168.0.94
!
object-group network DM_INLINE_nw_192.168.16.0
network-object object nw-192.168.16.0
!
access-list outside_ACL_in extended permit ip object-group DM_INLINE_host_192.168.0.94 object-group DM_INLINE_nw_192.168.16.0
!
rdgs
Anita
10-21-2011 11:17 AM
Neither of these configurations on their own will send packets to the IPS module for analysis.
The configuration must include a policy where a class of traffic is directed for to the IPS module for monitoring using either the "ips inline ..." or "ips promiscous ..." commands.
Here is a config example written for an earlier ASA version, that will demonstrate how to create the policy.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
10-22-2011 01:43 AM
Hi Marcabal,
Below please find the draft config of ASA to be implemented on 5540. According to the tech notes, all traffic should be inspected by IPS. Please comment on the config and optimal it.
----- config of ASA 5540 ----
!
class-map global-class
match any
!
policy-map global_policy
class global-class
ips promiscuous fail-open
!
service-policy global_policy global
!
access-list untrust_ACL_in extend permit tcp any host 192.168.1.8 443
access-list untrust_ACL_in extend permit tcp any host 192.168.1.8 80
!
access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any https
access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any smtp
access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any pop3
access-list trust_ACL_in extend permit tcp 192.168.128.0 0.0.0.255 any http
!
access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 any http
access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 any https
access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 http any
access-list DMZ1_ACL_in extend permit tcp 172.16.1.0 0.0.0.7 https any
access-list DMZ1_ACL_in extend permit tcp host 192.168.1.8 https any
access-list DMZ1_ACL_in extend permit tcp host 192.168.1.8 http any
!
access-list DMZ2_ACL_in extend permit ip 192.168.192.0 0.0.32.255 192.168.128.0 0.0.0.255
!
rdgs
Anita
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide