04-26-2011 03:28 PM - edited 03-10-2019 05:20 AM
Hello folks,
Similar question was asked on the forum here, but I just wanted to make sure there is no exception or this specific configuration. Basically we have AIP modules in our ASAs and we want to pass the traffic to them for investigation. We already have class-maps for inspection (the standard ASA inspection not IPS). And if I understand it correctly then the traffic will get matched only by a single class-map and handled accordingly.
Here is the config for better understanding
Current Config
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
Additional Config
access-list USERS-IPS-ACL extended permit ip host x.x.x.x any
access-list USERS-IPS-ACL extended permit ip any host x.x.x.x
!
!
class-map USERS-IPS-CLASS
match access-list USERS-IPS-ACL
!
!
policy-map IPS-POLICY
class USERS-IPS-CLASS
ips inline fail-close sensor USERS-SENSOR
So for example let's say a user establishes FTP connection to a server. Based on the global inspection policy (nothing to do with IPS), the traffic will get inspected and not forwarded to AIP module. Can someone confirm this or shed some light on it please?
Thank you very much,
Martin
Solved! Go to Solution.
04-27-2011 02:56 AM
Hi Martin,
Since the actions are different on the two class maps, it will be sent to IPS.
If the action on second class map had been 'inspect ftp', then only the first 'inspect ftp' would have had any effect. But here, the actions are different. One is inspect and other is sending traffic to AIP module.
HTH
Paps
04-27-2011 02:56 AM
Hi Martin,
Since the actions are different on the two class maps, it will be sent to IPS.
If the action on second class map had been 'inspect ftp', then only the first 'inspect ftp' would have had any effect. But here, the actions are different. One is inspect and other is sending traffic to AIP module.
HTH
Paps
04-27-2011 03:32 AM
So if I understand your post correctly, the traffic will fall into the first class map and then inspected as dictated by the policy AND it will also be matched by the second class map and sent to the AIP module as set by the second policy (basically the traffic will be treated by two class maps and policies). The reason I am asking is that if you think about QoS, the traffic is classified by a single class map.
Thank you,
Martin
04-27-2011 04:07 AM
Yes, if two class maps in a policy-map match the same traffic, both will take effect only if actions are different. E.g. One action is 'inspect' and other is 'police'.
Thank you,
Paps
04-27-2011 04:44 AM
And I assume the same logic applies even though the class maps are in two different policy maps (see example in the first post).
Sorry for being so annoying
04-27-2011 04:52 AM
Well, this concept could be very confusing at times.
Yes, same goes for class maps matching same traffic in more than one policy-map/service-policy.
Paps
04-27-2011 09:46 AM
Hello Martin,
If you would like to verify the MPF that will be applied to any flow by your configuration, you can execute the show service-policy flow command from the ASA CLI.
For your example, assuming your IPS-POLICY policy-map is assigned to the inside interface, the output of a show service-policy flow will look similar to the output below.
Command:
show service-policy flow
ASA# show service-policy flow tcp host 10.1.1.5 eq 2500 host 4.2.2.2 eq 80 Global policy: Service-policy: global_policy Class-map: inspection_default Match: default-inspection-traffic Action: Input flow: inspect http Class-map: class-default Match: any Action: Output flow: Interface inside: Service-policy: IPS-POLICY Class-map: USERS-IPS-CLASS Match: access-list USERS-IPS-ACL Access rule: permit ip any any Action: Input flow: ips inline fail-close Class-map: class-default Match: any Action: |
04-27-2011 09:58 AM
Blayne,
I got to hand it to you. Great information right there. Thank you very much.
Thank you guys both for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide