06-02-2010 10:09 AM - edited 03-11-2019 10:54 AM
i'm green hand in deploying ASA AIP..
Anyone could let me know how to set the following requirements in ASA AIP?
Match "ACL1" then sig1 - drop
Match "ACL2" then sig1 - allow
this requirements seem need 2 virtual sensors.. however, in ASA AIP, how to do this?
i saw the only way to override action is "high", "medium", "low" , etc..
did any way to set like above requirements?
06-02-2010 03:51 PM
Hi szekahungdanny,
There are basically two options to achieve this:
1) You already mentioned, create two virtual sensors, create two class maps maps and assign each class map a different sensor in the policy map. The virtual sensors would have different actions for the specific signature.
2) Have one class map and policy action "IPS" and duplicate the signature and assign different attacker/victim filters in the signature definitions.
Hope that helps, rgds, MiKa
06-02-2010 07:48 PM
yes. but my difficulty is how to add interface into that virtual sensor..
i just saw interface g0/1 only from IDM.
06-03-2010 03:38 AM
You would need to assign the traffic that you would like to direct towards 2 different virtual sensors via the policy-map configuration on the ASA, not via the AIP module configuration itself. You would need to configure the virtual sensor first on the AIP module, then you can choose which virtual sensors to send the traffic to via the ASA config.
Here is the configuration guide for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1877826
Hope that helps.
06-03-2010 04:52 AM
Hi szekahungdanny,
sorry, I didn't understand what exactly was confusing you. You don't need to create a new interface pair on the AIP-SSM for a second virtual sensor, the packets destined for a specific sensor will be tagged on the internal interface of the ASA. The syntax for your service policy would be:
ips {inline | promiscuous} {fail-close | fail-open} [sensor {sensor_name | mapped_name}],
this allows traffic from different class-mapsto be sent to different virtual sensors (the mapped name is only relevant for multiple context, if the virtual sensor is mapped to a context-specific name).
But are you sure you want to have two virtual sensors just because of a different action of a single signature? That's not the design goal. The draw-back of two virtual sensors is, that you will have two class maps and you must duplicate every action on both traffic classes (like inspect etc) within your policy map.
Remember: a policy map is much like a switch/case/break construct of programming languages. Once a class matches only the actions of that class are executed, subsequent classes are ignored:
Translated to "C" a policy map would be:
switch(traffic-class)
{
case 'match-criteria-class-1':
{
policy-actions-for-class-1
IPS inline fail-closed sensor vs0
inspect something
QoS settings
break;
}
case 'match-criteria-class-2':
{
policy-actions-for-class-2;
IPS inline fail-closed sensor vs1
inspect something
QoS settings
break;
}
Hope that helps understanding the issue, rather duplicate the signature in your existing sensor and edit traffic filters within the signature.
Best regards,
MiK
06-03-2010 09:09 AM
ManyThanks to all...
i know using class-map into vs0, vs1...
but ..what i can't understand is .... when i create vs1, there're no interface could be selected.
in default "vs0", there're 1 interface gigaethernet 0/1.0 (blackplane)... how come no interface in vs1.
Now, I dump 2 pics . to explain what i difficult mean..
06-03-2010 04:26 PM
Hi,
szekahungdanny wrote:
ManyThanks to all...
i know using class-map into vs0, vs1...
but ..what i can't understand is .... when i create vs1, there're no interface could be selected.
in default "vs0", there're 1 interface gigaethernet 0/1.0 (blackplane)... how come no interface in vs1.
Now, I dump 2 pics . to explain what i difficult mean..
that should be perfectly OK, see:
http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_ssm.html#wpxref91337
AIP-SSM has one interface, GigabitEthernet0/1. When you create multiple virtual sensors, you must assign this interface to only one virtual sensor. For the other virtual sensors you do not need to designate an interface.
and further:
Follow this sequence to create virtual sensors on AIP-SSM (and to assign them to adaptive security device contexts):
1. Configure up to four virtual sensors on AIP-SSM.
2. Assign the AIP-SSM interface, GigabitEthernet0/1, to one of the virtual sensors.
3. Assign virtual sensors to different contexts on the adaptive security device.
4. Use MPF to direct traffic to the targeted virtual sensor.
I hope that helps how to handle multiple virtual sensors on the AIP-SSM
Still the question is why would you go through that trouble if you can duplicate the signature and change the action depending on the source/destination address configured in the siggnature details?
Keep it as simple as possible...
Rgds, MiKa
06-03-2010 09:12 AM
I need 2 set of signature actions, not only a signature of action.
Set A is using default signature
Set B is using custom signature which is no deny/drop actions, only Log actions
06-03-2010 04:31 PM
If you duplicate a signature you can define independent actions (log only, no drop or reset) for the duplicate that's the easiest solution. You don't need necessarily two virtual sensors for this simple task. Just create a second signature with the same definitions except for traffic filter (source and destination IP) and different actions.
PS: I just thought of a third possibility: adjust threat rating and use event action filters. You can subtract the actions drop and reset for events which are rated "low" as defined by the event action rule. See (scroll down for SDM usage):
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a00808518b2.shtml
Message was edited by: m.kafka, added event action filters
06-04-2010 04:26 AM
You do not need to assign the backplane interface to the new virtual sensor that you have just created. You just have to assign the interface to the default virtual sensor. It will by default send through the traffic from ASA through the backplane interface towards the AIP module. On the ASA, you can define which virtual sensor to send the traffic to.
Hope that clears the confusion.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide