11-20-2009 10:09 PM - edited 03-10-2019 04:50 AM
Hi,
we are having Cisco ASA 5510 and we recently added Cisco AIP-SSM. we configured sensor and as well as ASA also but we are not getting any logs in ADM. please help me on this.
please find attached Sersor Configuration and version of IPS module and ASA.
Regards,
Yugandhar. M
Solved! Go to Solution.
11-24-2009 11:37 AM
On the ASA you need
access-list aip-acl extended deny ip any any
class-map aip-class
match access-list aip-acl
policy-map global_policy
class aip-class
ips inline fail-open
service-policy global_policy global
so that it will send traffic to the AIP for inspection.
I hope it helps.
PK
11-24-2009 10:37 AM
Did you configure your ASA to the send traffic to the sensor? You probably need to set up a service-policy on the ASA to send traffic to the AIP module.
11-24-2009 11:37 AM
On the ASA you need
access-list aip-acl extended deny ip any any
class-map aip-class
match access-list aip-acl
policy-map global_policy
class aip-class
ips inline fail-open
service-policy global_policy global
so that it will send traffic to the AIP for inspection.
I hope it helps.
PK
11-26-2009 10:35 PM
11-30-2009 07:56 AM
Do you have the IPS configured as inline on the ASA? The configuration posted above does configure it as inline. Try in the IPS configuration setting the High risk action to "Deny Attacker Inline", "Log Attacker Packets", and "Product Alerts". The "Request Block Host" Action only works with ARC.
If you have configure the IPS as an inline device, the actions used on packet or connection should be inline actions.
12-04-2009 01:17 AM
thanks for your solution
it is working but after some time the host which is trying to access yahoo web chat is going to Blocked host or denied attckers list. at that time the local host is not getting internet.
For example i was changed Yahoo HTTP proxy chat signature ID changed to High or medium. i tried to access yahoo web chat from 192.168.1.234 which is lcoak IP, then it is blocking yahoo chat as well as internet and the host IP is going to blocked hosts or denied attackers list.
as per your suggestion the HIGH risk action changed as per you and medicum i changed to log attcker IP.
please suggest me fine tuning the IPS
Regards,
Yugandhar. M
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: