11-19-2012 06:17 AM - edited 03-10-2019 05:49 AM
Hello,
I've setup the AIP module in my ASA 5520 and all looks good. I now need to do the following, does this config look ok?
I want to inspect traffic on certain interfaces and exclude certain traffic. For example I don'e want IPS to inspect our replication traffic that passes from the inside to our DMZ6 interface.
Anyway should I enable the gloabal policy or create individual policies per interface?
Global
policy-map global_policy
class aw-ips
match any
ips inline fail-open sensor vs0
Then I need to do the outside, DMZ6 and DMZ4 interfaces?
DMZ6
access-list traffic_for_ips deny ip 192.168.28.0 255.255.255.0 192.168.38.0 255.255.255.0
access-list traffic_for_ips permit ip any any
class-map DMZ6-ips-policy
match access-list traffic_for_ips
policy-map interface_policy
class DMZ6-ips-policy
ips inline fail-open sensor vs0
service-policy interface_policy interface DMZ6
Outside
class-map Outside-ips-policy
match any
policy-map interface_policy
class Outside-ips-policy
ips inline fail-open sensor vs0
service-policy interface_policy interface Outside
DMZ4
class-map DMZ4-ips-policy
match any
policy-map interface_policy
class DMZ4-ips-policy
ips inline fail-open sensor vs0
service-policy interface_policy interface DMZ4
Do you think this will work? I hope the Outside, DMZ6 and DMZ4 will be inspected and traffic from 192.168.28.0/24 to 192.168.38.0/24 wont be inspected.
Thanks
11-20-2012 06:25 PM
Andy,
That should work, but you can also confiure just one class and apply it globaly:
access-list traffic_for_ips deny ip 192.168.28.0 255.255.255.0 192.168.38.0 255.255.255.0
access-list traffic_for_ips permit ip any any
class-map IPS
match access-list traffic_for_ips
policy-map global_policy
class IPS
ips inline fail-open sensor vs0
Regards,
Felipe.
11-20-2012 11:40 PM
Hello,
Forgive me if I'm wrong, but I want to just exclude that traffic from the inside to the Dmz6 interfaces, if I use a global class wouldn't this be applied to all interfaces?
I also want to be able disable IPS on certain interfaces quickly should the load reach 100%.
Thanks
11-21-2012 08:10 AM
Andy,
That's the purpose of the ACL, to exclude traffic from inside to DMZ and match the rest:
deny ip 192.168.28.0 255.255.255.0 192.168.38.0 255.255.255.0
So, instead of excluding the interface, just exclude the traffic, it will be the same but easier to manage.
Regards,
Felipe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide