Solved: Cisco ASA IPS With Application Inspection

goulin · ‎06-11-2012

Hi All,

I am not sure if this is the best place to log this request, as it is both an ASA and IPS best practice question.

Anyhow, I was wondering what the best approach was to integrate a Cisco IPS AIM module into an existing Cisco ASA configuration, that is using the default application inspection globally - i.e.

---------------------------

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

etc etc

service-policy global_policy global

---------------------------

I was wanting to inspect any traffic that was permitted inbound from our Internet interface into our environment, so I was looking at doing something like:

---------------------------

class-map ips

match access-list from-internet

!

policy-map ips

class ips

ips inline fail-close

!

service-policy global_policy global

service-policy ips interface outside

---------------------------

Would this configuration allow for application inspection for traffic going from inside to outside, but yet redirect traffic from outside to inside to the IPS?

Thanks

Jennifer Halim · ‎06-11-2012

Absolutely correct configuration. It would inspect traffic on both direction as you apply it globally, and for the IPS policy-map, it would redirect traffic from internet towards the inside network.

View solution in original post

Jennifer Halim · ‎06-11-2012

Absolutely correct configuration. It would inspect traffic on both direction as you apply it globally, and for the IPS policy-map, it would redirect traffic from internet towards the inside network.

goulin · ‎06-11-2012

Hi Jennifer,

Thanks for confirming.

Just to clarify... so from what you are saying, if my from-internet access-list has a policy to permit inbound ICMP echos (not that I would, but just hypothetically...) from the Internet to my inside network, then I don't need an explicit policy on my access-list from-inside to permit the ICMP echo reply, since the default inspection for ICMP would take care of this. Additionally, whilst the ASA allows the return traffic from the inside for the ICMP echo, the IPS will also inspect the traffic on ingress from the Internet to ensure it does not violate any signatures. Is that right? So to summarise what Ihe steps/process that I am wanting to confirm:

* ICMP echo request packet from Internet to inside

* Allowed via ACL from-internet

* Temporarily allow traffic on from-inside ACL for ICMP echo reply

* Redirect packet to IPS

* IPS inspects etc... if it does not match block/deny signature, forward onto server on inside

* Server on inside replies with ICMP echo reply

* Echo reply hits the ASA and is permitted through the temporary session built via the Application Inspection engine

Does that look right?

Thanks

Jennifer Halim · ‎06-11-2012

You are right with the statement, if you are allowing echo from internet to inside, then the return traffic from inside to internet (echo reply) does not need to be explicitly allowed as ASA is a stateful firewall, and it will allow the return traffic automatically. Your bullet points are spot on too.. looks correct.

David Niemann · ‎06-21-2012

I know this has been answered, but I have a related question. Would passing traffic to the IPS from outside to in also work if the traffic was coming out of a VPN tunnel terminated on the ASA? Assuming you applied the IPS policy to the outside interface like the original posters question.

Sent from Cisco Technical Support iPad App