cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
568
Views
0
Helpful
3
Replies

IPS ASA configuration

binelipetrov
Level 1
Level 1

Hi,

I have a question regarding operation steps on IPS on ASA - while configuring access list for interesting traffic, do I need to use really or NATed addresses. Precisely, NAT and than access list or access list and than NAT?

1 Accepted Solution

Accepted Solutions

samuellthomasjr
Level 1
Level 1

Keep the extended ACL close to the source and use the REAL IP address. NAT occurs within the ASA, so you are dealing with externals.

If you have 6 or 14 external, public IP addresses from your ISP, you can NAT ... otherwise you are stuck with PAT.

For inbound to outside: use the actual,REAL, public IP addresses you have been assigned by your ISP to permit certain traffic inbound. This could be access-list 100 or a named extended access list, such as "inbound-outside".

For inbound to inside interface: use the internal private IP address scheme [192.168.x.x, 172.16.x.x-172.31.255,10.0.0.0] with appropriate subnet mask to permit traffic from inside to outside for your users. Most folks open the "permit ip any any" here, but I prefer limiting to the specific internal, private address only. This might be access-list 102 or a named access-lsit such as "inbound_inside".

Traffic, which is not "permitted", will be implicitly denied.

View solution in original post

3 Replies 3

vitripat
Level 7
Level 7

Hi,

When you apply service-policy for IPS inspection, either on a specific interface/globally, "ingress" traffic on the interface is sent to the module.

For example, if you apply the policy on the inside interface of ASA, traffic coming into ASA on the inside interface, destined for outside/dmz/etc, will be sent to IPS module, before applying nat rules.

If you apply the policy on the outside interface of ASA, traffic coming into ASA on the utside interface, destined for inside/dmz/etc, will be sent to IPS module, before applying un-nat/nat rules.

if you apply the policy globally, all traffic coming into ASA on the its interfaces, will be sent to IPS module, before applying nat rules.

Hope this clears things for you.

Regards,

Vibhor.

samuellthomasjr
Level 1
Level 1

Keep the extended ACL close to the source and use the REAL IP address. NAT occurs within the ASA, so you are dealing with externals.

If you have 6 or 14 external, public IP addresses from your ISP, you can NAT ... otherwise you are stuck with PAT.

For inbound to outside: use the actual,REAL, public IP addresses you have been assigned by your ISP to permit certain traffic inbound. This could be access-list 100 or a named extended access list, such as "inbound-outside".

For inbound to inside interface: use the internal private IP address scheme [192.168.x.x, 172.16.x.x-172.31.255,10.0.0.0] with appropriate subnet mask to permit traffic from inside to outside for your users. Most folks open the "permit ip any any" here, but I prefer limiting to the specific internal, private address only. This might be access-list 102 or a named access-lsit such as "inbound_inside".

Traffic, which is not "permitted", will be implicitly denied.

Great answer. Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: