Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
0
Helpful
1
Replies

silly doubt about aip-ssm module

Go to solution
sushilmenon
Level 1
Level 1

‎05-27-2009 10:29 AM - edited ‎03-10-2019 04:38 AM

when the aip ssm module is in inline mode. does the packet first is scanned by the aip ssm module or it is first checked by the firewall rules whether it is permitted and then sent to aip ssm module.

can someone throw some light on this.

regards

sushil

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎05-27-2009 11:16 AM

All firewall rules are applied prior to sending the packets to the SSM.

So if the packet will be dropped by a firewall rule, then the packet will not be sent to the SSM.

If the packet will be modified by a firewall rule, then the modification will be done before being sent to the SSM.

There are only two exceptions, and that is encryption and ultimate transmit of the packet.

Encryption happens after being sent to the SSM, so the SSM alway sees unencrypted traffic (where the ASA is the encryption tunnel end point).

And of course transmit of the packet by the ASA through its external interfafes happens after sending to the SSM.

In the case of promiscuous monitoring by the SSM, the encryption and transmit happen right after a copy is sent to the SSM.

In the case of inline monitoring by the SSM, the encryption and transmit happen only after the SSM has completed its analysis and the packet was not denied by the SSM.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎05-27-2009 11:16 AM

All firewall rules are applied prior to sending the packets to the SSM.

So if the packet will be dropped by a firewall rule, then the packet will not be sent to the SSM.

If the packet will be modified by a firewall rule, then the modification will be done before being sent to the SSM.

There are only two exceptions, and that is encryption and ultimate transmit of the packet.

Encryption happens after being sent to the SSM, so the SSM alway sees unencrypted traffic (where the ASA is the encryption tunnel end point).

And of course transmit of the packet by the ASA through its external interfafes happens after sending to the SSM.

In the case of promiscuous monitoring by the SSM, the encryption and transmit happen right after a copy is sent to the SSM.

In the case of inline monitoring by the SSM, the encryption and transmit happen only after the SSM has completed its analysis and the packet was not denied by the SSM.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card