Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2471
Views
15
Helpful
7
Replies

Multiple Class maps for AIP

Go to solution
Martin Smid
Level 1
Level 1

‎04-26-2011 03:28 PM - edited ‎03-10-2019 05:20 AM

Hello folks,

Similar question was asked on the forum here, but I just wanted to make sure there is no exception or this specific configuration. Basically we have AIP modules in our ASAs and we want to pass the traffic to them for investigation. We already have class-maps for inspection (the standard ASA inspection not IPS). And if I understand it correctly then the traffic will get matched only by a single class-map and handled accordingly.

Here is the config for better understanding

Current Config

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

Additional Config

access-list USERS-IPS-ACL extended permit ip host x.x.x.x any

access-list USERS-IPS-ACL extended permit ip any host x.x.x.x

!

!

class-map USERS-IPS-CLASS

match access-list USERS-IPS-ACL

!

!

policy-map IPS-POLICY

class USERS-IPS-CLASS

  ips inline fail-close sensor USERS-SENSOR

So for example let's say a user establishes FTP connection to a server. Based on the global inspection policy (nothing to do with IPS), the traffic will get inspected and not forwarded to AIP module. Can someone confirm this or shed some light on it please?

Thank you very much,

           Martin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
padatta
Level 1
Level 1

‎04-27-2011 02:56 AM

Hi Martin,

Since the actions are different on the two class maps, it will be sent to IPS.

If the action on second class map had been 'inspect ftp', then only the first 'inspect ftp' would have had any effect. But here, the actions are different. One is inspect and other is sending traffic to AIP module.

HTH

Paps

View solution in original post

0 Helpful
7 Replies 7

Go to solution
padatta
Level 1
Level 1

‎04-27-2011 02:56 AM

Hi Martin,

Since the actions are different on the two class maps, it will be sent to IPS.

If the action on second class map had been 'inspect ftp', then only the first 'inspect ftp' would have had any effect. But here, the actions are different. One is inspect and other is sending traffic to AIP module.

HTH

Paps

0 Helpful

Go to solution
Martin Smid
Level 1
Level 1
In response to padatta

‎04-27-2011 03:32 AM

So if I understand your post correctly, the traffic will fall into the first class map and then inspected as dictated by the policy AND it will also be matched by the second class map and sent to the AIP module as set by the second policy (basically the traffic will be treated by two class maps and policies). The reason I am asking is that if you think about QoS, the traffic is classified by a single class map.

Thank you,

Martin

0 Helpful

Go to solution
padatta
Level 1
Level 1
In response to Martin Smid

‎04-27-2011 04:07 AM

Yes, if two class maps in a policy-map match the same traffic, both will take effect only if actions are different. E.g. One action is 'inspect' and other is 'police'.

Thank you,

Paps

Go to solution
Martin Smid
Level 1
Level 1
In response to padatta

‎04-27-2011 04:44 AM

And I assume the same logic applies even though the class maps are in two different policy maps (see example in the first post).

Sorry for being so annoying

0 Helpful

Go to solution
padatta
Level 1
Level 1
In response to Martin Smid

‎04-27-2011 04:52 AM

Well, this concept could be very confusing at times.

Yes, same goes for class maps matching same traffic in more than one policy-map/service-policy.

Paps

Go to solution
Christopher Dreier
Level 3
Level 3

‎04-27-2011 09:46 AM

Hello Martin,

If you would like to verify the MPF that will be applied to any flow by your configuration, you can execute the show service-policy flow command from the ASA CLI.

For your example, assuming your IPS-POLICY policy-map is assigned to the inside interface, the output of a show service-policy flow will look similar to the output below.

Command:

show service-policy flow host [eq ] host [eq ]

ASA# show service-policy flow tcp host 10.1.1.5 eq 2500 host 4.2.2.2 eq 80
Global policy:
   Service-policy: global_policy
     Class-map: inspection_default
       Match: default-inspection-traffic
       Action:
         Input flow:  inspect http
     Class-map: class-default
       Match: any
       Action:
         Output flow:
Interface inside:
   Service-policy: IPS-POLICY
     Class-map: USERS-IPS-CLASS
       Match: access-list USERS-IPS-ACL
         Access rule: permit ip any any
       Action:
         Input flow:  ips inline fail-close
     Class-map: class-default
       Match: any
       Action:

I hope it's helpful - We recorded a recent podcast episode on our favorite ASA and IPS commands and show service-policy flow was one of them:

Thank you,
Blayne Dreier
Cisco TAC Escalation Team
**Please check out our Podcasts**

Go to solution
Martin Smid
Level 1
Level 1
In response to Christopher Dreier

‎04-27-2011 09:58 AM

Blayne,

I got to hand it to you. Great information right there. Thank you very much.

Thank you guys both for your help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card