ā06-14-2010 06:40 PM - edited ā03-10-2019 05:01 AM
Hi,
I have an ASA5520 with AIP-SSM module. I inspect in promiscuous mode. Security vulnerability scans create tons of alerts in the IDS system. I'd like to exclude certain IP addresses from the IDS. I tried to modify the inspection policy in ASDM but according to packet trace the packets still go through the IDS.
What's the easiest way to do this?
Thanks
ā06-14-2010 07:34 PM
Does the IPS actually still generate alerts for the host, though the class-map has been modified for the specific host traffic not to be sent to the AIP?
Check the packet tracer output, as you may have misread it.
This are sample outputs
1) If the ACL sends traffic for the AIP
Phase: 3
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd82d6258, priority=50, domain=ids, deny=false
###### Notice how it says DENY=FALSE >> so send to IPS #####
2) If the ACL does not send traffic to the AIP
Phase: 3
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd82d8528, priority=50, domain=ids, deny=true
##### Notice how it says DENY=TRUE >> so do not send to IDS #####
Another way way for accomplishing this is to create event action filter on the AIP itself.
Here is the documentation for it.
Regards,
ā06-15-2010 08:01 AM
What packet tracer are you using? I don't see this info in ASDM:
"Additional Information:
Forward Flow based lookup yields rule:
in id=0xd82d6258, priority=50, domain=ids, deny=false"
I am looking at the Service Policy Rules..
The first one is "outside-policy" for "outside-class". In there I have 2 acl.
First one is "do not match" from the netblock I don't want to inspect to any, with rule action ips.
Second one is "match" any any, with rule action ips.
Does this look right?
Second one is "globla_policy" "inspection_default", and that has default-inspections with 13 inspect actions.
I hope this means that in addition to IPS, the inspect action are also run for traffic coming in?
Thanks.
ā06-15-2010 03:19 PM
Let's say you want to exclude ip address 192.168.1.2 from being scanned. Here is a sample config.
access-list aip-acl extended deny ip host 192.168.1.2 any
access-list aip-acl extended permit ip any any
class-map aip-class
match access-list aip-acl
policy-map global_policy
class aip-class
ips inline fail-open
service-policy global_policy global
I hope it is clear now.
PK
ā06-15-2010 06:03 PM
Since you are seeing deny=false in the portion of ips forwarding, then that will mean it is forward to the IPS still, and you probably still have some configuration that forwards the traffic to the ips for the network you did not want inspected.
Please either try to configure as provided by PK previously, or otherwise provide the service policies (global and interface), class-map, and related access-list you have (CLI commands I mean).
I was doing packet tracer through the CLI.
Thanks,
ā06-16-2010 07:25 AM
OK cool, check this out:
Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcccb4b60, priority=51, domain=ids, deny=true
hits=0, user_data=0xd07618d8, cs_id=0x0, flags=0x0, protocol=0
src ip=216.35.7.96, mask=255.255.255.224, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
ā06-16-2010 07:57 AM
That is right.
I am also suggesting the command "sh service-policy flow tcp host
I hope it helps.
PK
ā06-16-2010 09:54 PM
Can you please provide the configuration you have for service policy, policy map, class map, and access-list for the traffic redirection t IPS.
The packet tracer tools simulation requires you to specify input interface, and maybe there is a flow that you have not simulated where the source ip may still be directed to ips device.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide