06-11-2012 02:43 PM - edited 03-10-2019 05:42 AM
Hi All,
I am not sure if this is the best place to log this request, as it is both an ASA and IPS best practice question.
Anyhow, I was wondering what the best approach was to integrate a Cisco IPS AIM module into an existing Cisco ASA configuration, that is using the default application inspection globally - i.e.
---------------------------
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
etc etc
service-policy global_policy global
---------------------------
I was wanting to inspect any traffic that was permitted inbound from our Internet interface into our environment, so I was looking at doing something like:
---------------------------
class-map ips
match access-list from-internet
!
policy-map ips
class ips
ips inline fail-close
!
service-policy global_policy global
service-policy ips interface outside
---------------------------
Would this configuration allow for application inspection for traffic going from inside to outside, but yet redirect traffic from outside to inside to the IPS?
Thanks
Solved! Go to Solution.
06-11-2012 10:32 PM
Absolutely correct configuration. It would inspect traffic on both direction as you apply it globally, and for the IPS policy-map, it would redirect traffic from internet towards the inside network.
06-11-2012 10:32 PM
Absolutely correct configuration. It would inspect traffic on both direction as you apply it globally, and for the IPS policy-map, it would redirect traffic from internet towards the inside network.
06-11-2012 10:44 PM
Hi Jennifer,
Thanks for confirming.
Just to clarify... so from what you are saying, if my from-internet access-list has a policy to permit inbound ICMP echos (not that I would, but just hypothetically...) from the Internet to my inside network, then I don't need an explicit policy on my access-list from-inside to permit the ICMP echo reply, since the default inspection for ICMP would take care of this. Additionally, whilst the ASA allows the return traffic from the inside for the ICMP echo, the IPS will also inspect the traffic on ingress from the Internet to ensure it does not violate any signatures. Is that right? So to summarise what Ihe steps/process that I am wanting to confirm:
* ICMP echo request packet from Internet to inside
* Allowed via ACL from-internet
* Temporarily allow traffic on from-inside ACL for ICMP echo reply
* Redirect packet to IPS
* IPS inspects etc... if it does not match block/deny signature, forward onto server on inside
* Server on inside replies with ICMP echo reply
* Echo reply hits the ASA and is permitted through the temporary session built via the Application Inspection engine
Does that look right?
Thanks
06-11-2012 10:50 PM
You are right with the statement, if you are allowing echo from internet to inside, then the return traffic from inside to internet (echo reply) does not need to be explicitly allowed as ASA is a stateful firewall, and it will allow the return traffic automatically. Your bullet points are spot on too.. looks correct.
06-21-2012 05:56 PM
I know this has been answered, but I have a related question. Would passing traffic to the IPS from outside to in also work if the traffic was coming out of a VPN tunnel terminated on the ASA? Assuming you applied the IPS policy to the outside interface like the original posters question.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide