Hi Anukalp,

There is no configuration on your ASA that passes traffic to the IPS for inspection in your show run class-map and show run policy-map out put.

in global config mode type the following command below and let me know how it goes....

Access-list IPS_acl extended permit ip any any (this is to define the traffic to be inspected)

class-map IPS_class
match access-list IPS_acl
policy-map IPS_policy
class IPS_class
ips promiscuous fail-open (this could also be configured for inline mode with fail-close option as well)
service-policy IPS_policy global

Sly

hi..

I am getting error while creating a service policy it tell that service policy is already configured so i have configured this in existing policy. I will share the result in couple of minutes.

access-list IPS_acl extended permit ip any any

class-map IPS_class
match access-list IPS_acl

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect ip-options

  inspect skinny

  inspect icmp

class IPS_class

  ips promiscuous fail-open

class class-default

  flow-export event-type all destination 10.110.130.11

service-policy global_policy global

==================================================

Hi..

Cant we configure "ips inline fail-open"? will it cause any issue or stops any traffic in ASA.

Were you able to get it working? do you see any alerts now? you can test be enabling ICMP signatures.

I usually recommend switching to inline mode only after your have run your IPS in promiscuous mode for a while and understand how to manage false positives. Running IPS on Inline mode without monitoring IPS events on promiscuous mode for a period, could risk legitimate traffic being inadvertently blocked/dropped.

Please rate if your post was helpful.

Sly

Hi..

Thanks a lot, IPS started displaying events now.