Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1169
Views
0
Helpful
3
Replies

ASA-SSC-AIP-5

Mark^
Level 1
Level 1

‎02-01-2011 06:42 AM - edited ‎03-10-2019 05:15 AM

Using an ASA5505 with SSC-AIP-5 and IPS Version 6.2(2)E4.

I have read through docs and how-to's and I have had help from TAC in setting up my AIP-5, but I still have a few things to sort out and am hoping someone here wouldn’t mind shedding some light or tossing some advice my way.

First things first - I can't ping out anymore.  While this isn't the end of the world, it is a bit annoying.  Secondly, what interfaces should be inspected inline?

I have the following interfaces:

Outside

Inside

WiFi

AIP-5 management Interface


What is best practice here?  Add them all?  Just outside?  Outside and Wifi?

I know there are benefits of having an IDS on the outside of the firewall and an IDS on the inside of the firewall if one wants to compare what gets through, etc, however with this product, I am looking for suggestions, best practices, or just what do you do?

Thanks.

Mark
Labels:
0 Helpful
3 Replies 3

Mark^
Level 1
Level 1

‎02-01-2011 07:30 AM

Actually, I put the IPS in bypass mode and the pings are still being blocked.  I must have changed something else when installing the IPS.  I can see the 302020 and 302021 messages in syslog, but I do not see where it is being denied or dropped.

Mark
0 Helpful

Mark^
Level 1
Level 1
In response to Mark^

‎02-01-2011 07:42 AM

Ok, so if I edit the outside-class service policy and check the box for ICMP, it allows ping through.  However, when doing this, I lose web access (I assume until I check the box for inspect HTTP).  There are NO boxes checked for Protocol Inspection in ASDM for the outside policy that was added when the IPS was setup.

I just added ICMP to the default inspection policy and ping is working fine now.

So, after reading through these few posts, does any of this suggest a possible misconfiguration anywhere?

Thanks.

Mark
0 Helpful

Christopher Dreier
Level 3
Level 3
In response to Mark^

‎02-07-2011 11:31 AM

Hello markpiontek,

Why does my IPS block ICMP/HTTP?

While the sensor does have the ability to block ICMP, it would need to be explicitly configured to do so. I'll assume you have not done this, which only leaves the firewall as the culprit that could potentially be blocking ICMP. The firewall requires ICMP inspection to match the ICMP ID in the reply to the one found in the request. This is why adding ICMP inspection causes the pings to succeed. You mention that you lose HTTP access after editing the outside-class to allow ICMP. Without seeing the pre and post config, I cannot tell you exactly what is causing you to lose HTTP access, but we can assume that editing the outside-class has adversely affected the flow of other protocols due to some aspect of the configuration.

What interfaces should I inspect with IPS?

This depends on what traffic you want to inspect. If the policy-map that contains your IPS inspection class is applied globally via the service-policy command, ingress traffic on all interfaces is inspected. If the policy-map is applied to a particular interface, both ingress and egress traffic is inspected on that one interface. The idea of placing the IPS on the outside of the firewall to see what threats are being directed toward your network is only true for appliances. IPS modules only see traffic that is allowed to ingress the host device. Firewall ACLs and protocol inspection can and will drop some traffic prior to the IPS being able to inspect it. If you consider a particular inbound flow, traffic will ingress the outside interface and egress the inside, DMZ, wireless, etc interfaces. So you have the ability to place the IPS behind your outside interface or in front of your other interfaces. The reverse logic is true for outbound flows.

How do I determine what my IPS is dropping/denying?

Via SDEE events. The sensor uses SDEE events to show what signatures have fired. SDEE events are viewable through any SDEE capable event collector (IPS Manager Express, CS-MARS, Cisco Security Manager, etc), from the IPS command line (show events alert), and from IPS Device Manager (the web GUI for each individual IPS: https://).

Please let me know if I can help you with anything further within the context of this thread. If your question has been Answered, please mark the thread as such so that it will be helpful to other users. Also, please feel free to Rate this thread to reflect your experience.

Thank you,
Blayne Dreier
Cisco TAC Escalation Team

**Please check out our Podcasts**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
TAC IPS Media Series: https://supportforums.cisco.com/docs/DOC-12758

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card