cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
526
Views
0
Helpful
3
Replies

AIP 10 module in ASA

Andy White
Level 3
Level 3

Hello,

I've setup the AIP module in my ASA 5520 and all looks good.  I now need to do the following, does this config look ok?

I want to inspect traffic on certain interfaces and exclude certain traffic. For example I don'e want IPS to inspect our replication traffic that passes from the inside to our DMZ6 interface.

Anyway should I enable the gloabal policy or create individual policies per interface?

Global

policy-map global_policy

class aw-ips

match any

  ips inline fail-open sensor vs0

Then I need to do the outside, DMZ6 and DMZ4 interfaces?

DMZ6

access-list traffic_for_ips deny ip 192.168.28.0 255.255.255.0 192.168.38.0 255.255.255.0

access-list traffic_for_ips permit ip any any

class-map DMZ6-ips-policy

match access-list traffic_for_ips

policy-map interface_policy

class DMZ6-ips-policy

ips inline fail-open sensor vs0

service-policy interface_policy interface DMZ6

Outside

class-map Outside-ips-policy

match any

policy-map interface_policy

class Outside-ips-policy

ips inline fail-open sensor vs0

service-policy interface_policy interface Outside

DMZ4

class-map DMZ4-ips-policy

match any

policy-map interface_policy

class DMZ4-ips-policy

ips inline fail-open sensor vs0

service-policy interface_policy interface DMZ4

Do you think this will work?  I hope the Outside, DMZ6 and DMZ4 will be inspected and traffic from 192.168.28.0/24 to 192.168.38.0/24 wont be inspected.

Thanks

3 Replies 3

lcambron
Level 3
Level 3

Andy,

That should work, but you can also confiure just one class and apply it globaly:

access-list traffic_for_ips deny ip 192.168.28.0 255.255.255.0 192.168.38.0 255.255.255.0

access-list traffic_for_ips permit ip any any

class-map IPS

match access-list traffic_for_ips

policy-map global_policy

class IPS

  ips inline fail-open sensor vs0

Regards,

Felipe.

Hello,

Forgive me if I'm wrong, but I want to just exclude that traffic from the inside to the Dmz6 interfaces, if I use a global class wouldn't this be applied to all interfaces?

I also want to be able disable IPS on certain interfaces quickly should the load reach 100%.

Thanks

Andy,

That's the purpose of the ACL, to exclude traffic from inside to DMZ and match the rest:

deny ip 192.168.28.0 255.255.255.0 192.168.38.0 255.255.255.0

So, instead of excluding the interface, just exclude the traffic, it will be the same but easier to manage.

Regards,

Felipe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: