Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
2
Replies

SSM IPS Configuration

JHaynes4
Level 1
Level 1

‎11-02-2005 05:19 PM - edited ‎03-10-2019 01:44 AM

I have a couple of questions regarding the ASA that deal with the SSM module.

I have read the document "Configuring ASA-SSM" and am confused by the command logic. I realize that you need to specify a service-policy globally that defines the traffic being sent to the SSM module. My concern is that the configuration document lists as one of it's steps to define an ACL for the IPS traffic and then apply it to an interface before configuring the class map, policy map, and service-policy. Why would this ACL need to be applied to an interface when it is being used for defining IPS traffic? Shouldn't the ASA send whatever traffic is defined globally in the service-policy to the SSM without attaching the ACL to an interface?

Also, on the ASA factory default configuration there is a service-policy defined as:

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

But, if I define a global service-policy for the SSM I would lose this default service-policy as only one global service policy is allowed. Is the default service-policy providing the fixup protocol services as in the PIX that I am used to seeing? If so do I lose this functionality by applying a global service-policy for IPS/

Sorry for the length of the post and thanks for your help in advance.

Labels:
0 Helpful
2 Replies 2

marcabal
Cisco Employee
Cisco Employee

‎11-03-2005 08:22 AM

The configuration in the IPS User's Guide is just one method for settings up the ASA to send packets to the SSM.

It is an extremely basic configuration on the ASA where all the ASA is doing is copying packets to the SSM and the ASA is not doing any of it's firewall functionality.

This configuration is only practical if the ASA was purchased and used only for housing the SSM and sending it traffic ( a rare deployment in the field ).

If your ASA is already configured for firewall functionality then the only additional command(s) that need to be added to your config are:

ips inline|promiscuous fail-open|fail-close

Take your existing policy-map and for every class in that policy you will need to decide if the traffic should be monitored promiscuously, inline, or not monitored by the SSM.

In your example, if you wanted to monitor all of the traffic inline on the SSM and want to continue passing traffic if the SSM fails. Then simply add the line "ips inline fail-open" within the existing "class inspection_default".

NOTE: If you change the policy you need to understand that the new policy will only affect new connections and not existing connections.

The only reason you would have to create additional acls and class maps using the acls would be if you did not want all of the traffic monitored inline by the SSM.

If you want different traffic monitored promiscuous and other inline (or not monitored), then you need to include additional classes in your policy-map so that a different ips configuration line can be added for each class.

0 Helpful

JHaynes4
Level 1
Level 1
In response to marcabal

‎11-03-2005 11:04 AM

Thanks for the reply. I thought things were a bit odd. I'm not sure why they would put out a document for such a situation instead of one that would be helpful to most people, but your answer is very clear. Thanks again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card