Does the AIP-SSM inspects on all Interfaces (inside,outside,DMZ)

Ibrahim Jamil · ‎03-04-2011

Hi Folks

if you have an ASA 8.0 code equipped by AIP-SSM, how ever we use interface for inside, interface for outside and interface for the DMZ,now did the AIP-SSM inspects Traffic going to the DMZ interface ,pls provide me a proof for that as i heard that is a limitation for inspection just for outside to inside and vice versa

PAUL GILBERT ARIAS · ‎03-04-2011

You can view that doing a show service-policy

Sent from Cisco Technical Support iPhone App

Ibrahim Jamil · ‎03-04-2011

Hi Paul

what this reply means?

PAUL GILBERT ARIAS · ‎03-04-2011

Sorry i missed a small part. If you apply the class map for the inspected traffic undet the global policy map the IPS will do the work on all interfaces

Sent from Cisco Technical Support iPhone App

Ibrahim Jamil · ‎03-04-2011

Hi Paul

Sorry,Still yr kind replys didnt make me Clear

PAUL GILBERT ARIAS · ‎03-04-2011

For example:

If you have the following config:

access-list IPS extended permit ip any any

class-map IPS

match access-list IPS

policy-map global_policy

class IPS

ips promiscuous fail-open

service-policy global_policy global

This will do the IPS job on all interfaces (inside,outside,DMZ) for traffic coming in and out.

You can view the inspected traffic by using the command "sh service-policy"

Is that clear?

Ibrahim Jamil · ‎03-04-2011

Thanks

PAUL GILBERT ARIAS · ‎03-04-2011

I really hope that helps you. If things are fine please mark the question as answered.

Thanks my friend.