cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5141
Views
8
Helpful
10
Replies

Config Global policy to use IPS (ASA 5520)

rmaxson2
Level 1
Level 1

I get an error..ERROR: Policy map global_policy is already configured as a service policy when I try to set up the IPS. How do I correct this config?

--------Attempted Config Change-----------------

HO1ASA01# conf t

HO1ASA01(config)# access-list IPS permit ip any any

HO1ASA01(config)# class-map IPS-CLASS

HO1ASA01(config-cmap)# match access-list IPS

HO1ASA01(config-cmap)# policy-map IPS-POLICY

HO1ASA01(config-pmap)# class IPS-CLASS

HO1ASA01(config-pmap-c)# ips promiscuous fail-open

HO1ASA01(config-pmap-c)# service-policy IPS-POLICY global

ERROR: Policy map global_policy is already configured as a service policy

HO1ASA01(config)#

HO1ASA01(config)#

------Running Config------------------

class-map IPS-CLASS

match access-list IPS

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

policy-map IPS-POLICY

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

2 Accepted Solutions

Accepted Solutions

The reason you got the warning is becuase you already had the line "service-policy global_policy global" in the config. You did not have to re-enter it.

You need to get rid of "policy-map IPS-POLICY.".

View solution in original post

Here is what it should look like...

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

Notice there is no "policy-map IPS-POLICY" command.

View solution in original post

10 Replies 10

acomiskey
Level 10
Level 10

Add the new class to the existing global_policy instead of creating a new policy.

class-map IPS-CLASS

match access-list IPS

policy-map global_policy

class IPS-CLASS

ips promiscuous fail-open

service-policy global_policy global

Ok the config still looks the same, but this time instead of an error I get a warning.

WARNNING: Policy map global_policy is already configured as a service policy

class-map IPS-CLASS

match access-list IPS

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

policy-map IPS-POLICY

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

The reason you got the warning is becuase you already had the line "service-policy global_policy global" in the config. You did not have to re-enter it.

You need to get rid of "policy-map IPS-POLICY.".

Still not seeing any traffic on the IPS.. besides setting a policy to route all traffic to the IPS what else needs to be done?

** THIS IS A PRODUCTION BOX ** I can not guess or try anything that might knock it off line.

Here is what it should look like...

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class IPS-CLASS

ips promiscuous fail-open

!

service-policy global_policy global

Notice there is no "policy-map IPS-POLICY" command.

Got it, I was test editng the lines on my last config and put the map back in.. :(

Still no traffic..

Do you still have...

class-map IPS-CLASS

match access-list IPS

This may help...

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

will give those a look, they are different from the other "Official Cisco" documents I've been using.

There is an excellent post titled "How do you tell if an ASA-SSM-20 is actually running and filtering traffic?" posted on this same thread, dated Jan 31 2008 that I found extremely helpful on this subject.

Great find! very helpful, seems Cisco needs better documentation on this device.

Review Cisco Networking for a $25 gift card