cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2349
Views
4
Helpful
5
Replies

not getting traffic from ASA to AIP-SSM-20.

yugandharm
Level 1
Level 1

Hi,

we are having Cisco ASA 5510 and we recently added Cisco AIP-SSM. we configured sensor and as well as ASA also but we are not getting any logs in ADM. please help me on this.

please find attached Sersor Configuration and version of IPS module and ASA.

Regards,

Yugandhar. M

1 Accepted Solution

Accepted Solutions

Panos Kampanakis
Cisco Employee
Cisco Employee

On the ASA you need

access-list aip-acl extended deny ip any any 
class-map aip-class
match access-list aip-acl
policy-map global_policy
class aip-class
  ips inline fail-open
service-policy global_policy global

so that it will send traffic to the AIP for inspection.

I hope it helps.

PK

View solution in original post

5 Replies 5

reagleston
Level 1
Level 1

Did you configure your ASA to the send traffic to the sensor?  You probably need to set up a service-policy on the ASA to send traffic to the AIP module.

Panos Kampanakis
Cisco Employee
Cisco Employee

On the ASA you need

access-list aip-acl extended deny ip any any 
class-map aip-class
match access-list aip-acl
policy-map global_policy
class aip-class
  ips inline fail-open
service-policy global_policy global

so that it will send traffic to the AIP for inspection.

I hope it helps.

PK

HI PK,

thanks for your support,

i tried with this and it is working fine.

one more problem is i tried to block yahoo web chat with Signature ID 11212 but it was not blocking yahoo chat. please find the attached screensot also.

Thanks & Regards,

Yugandhar. M

Do you have the IPS configured as inline on the ASA?   The configuration posted above does configure it as inline.   Try in the IPS configuration setting the High risk action to "Deny Attacker Inline", "Log Attacker Packets", and "Product Alerts".    The "Request Block Host"  Action only works with ARC.

If you have configure the IPS as an inline device, the actions used  on packet or connection should be inline actions.

thanks for your solution

it is working but after some time the host which is trying to access yahoo web chat is going to Blocked host or denied attckers list. at that time the local host is not getting internet.

For example i was changed Yahoo HTTP proxy chat signature ID changed to High or medium. i tried to access yahoo web chat from 192.168.1.234 which is lcoak IP, then it is blocking yahoo chat as well as internet and the host IP is going to blocked hosts or denied attackers list.

as per your suggestion the HIGH risk action changed as per you and medicum i changed to log attcker IP.

please suggest me fine tuning the IPS

Regards,

Yugandhar. M

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: