Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
5
Helpful
2
Replies

Traffic from ASA to IPS

gtuhindhaka
Level 1
Level 1

‎08-14-2008 07:01 PM - edited ‎03-10-2019 04:15 AM

Hello Everyone,

I have configured an ASA5510 to send all traffic to IPS like bellow as cisco doc described.

access-list IPS extended permit ip any any

class-map my-ips-class

match access-list IPS

policy-map my-ips-policy

class my-ips-class

ips inline fail-close

service-policy my-ips-policy global

And all incommeing traffic from outside should go to IPS. How to make sure that traffic is going to IPS.

If i give command like this

sh service-policy global

its showing below:

Global policy:

Service-policy: my-ips-policy

Class-map: my-ips-class

IPS: card status Up, mode inline fail-close

packet input 12119, packet output 12119, drop 0, reset-drop 0

Then I go to ips and enable a signature definition number 2004 to denay ICMP echo request. In actions i choosed deny packet inline. but still i can ping from outside to inside.

Please advise sir what to do.

Regards,

Tuhin.

Labels:
0 Helpful
2 Replies 2

antonyabraham
Level 1
Level 1

‎08-15-2008 06:50 AM

Did you check in the IDM if the signature 2004 is firing? If it is firing, make sure the "Deny packet" option is set correctly.

Trust your virtual sensor vs0 config is completed and the interface Gig0/1 is added to the vs0.

You could also use the "packet dispaly interface Gig 0/1 expression (tcpdump expressions)" on the IPS CLI to see if the sensor is indeed seeing the Echo traffic.

gtuhindhaka
Level 1
Level 1
In response to antonyabraham

‎08-16-2008 12:20 AM

Thank you very much sir. Its now working. I didn't add interface Gig0/1 to vs0.

Thanks you.

Regards,

Tuhin

Dhaka.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card