Diverting Traffic To The Aip Ssm - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Managing the AIP SSM
Diverting Traffic to the AIP SSM
To identify traffic to divert from the adaptive security appliance to the AIP SSM, perform the following
steps. In multiple context mode, perform these steps in each context execution space.
To identify the traffic that you want to be inspected by the AIP SSM, add one or more class maps using
Step 1
the class-map command according to the
on page
For example, you can match all traffic using the following commands:
hostname(config)# class-map IPS
hostname(config-cmap)# match any
To match specific traffic, you can match an access list:
hostname(config)# access list IPS extended permit ip any 10.1.1.1 255.255.255.255
hostname(config)# class-map IPS
hostname(config-cmap)# match access-list IPS
To add or edit a policy map that sets the action to divert traffic to the AIP SSM, enter the following
Step 2
commands:
hostname(config)# policy-map name
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
where the class_map_name is the class map from
For example:
hostname(config)# policy-map IPS
hostname(config-pmap)# class IPS
To divert the traffic to the AIP SSM, enter the following command:
Step 3
hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close | fail-open} [sensor
{ sensor_name | mapped_name }]
where the inline and promiscuous keywords control the operating mode of the AIP SSM. See the
"Operating Modes" section on page 22-2
The fail-close keyword sets the adaptive security appliance to block all traffic if the AIP SSM is
unavailable.
The fail-open keyword sets the adaptive security appliance to allow all traffic through, uninspected, if
the AIP SSM is unavailable.
If you use virtual sensors on the AIP SSM, you can specify a sensor name using the sensor sensor_name
argument. To see available sensor names, enter the ips ... sensor ? command. Available sensors are
listed. You can also use the show ips command. If you use multiple context mode on the security
appliance, you can only specify sensors that you assigned to the context (see the
Sensors to Security Contexts" section on page
If you do not specify a sensor name, then the traffic uses the default sensor. In multiple context mode,
you can specify a default sensor for the context. In single mode or if you do not specify a default sensor
in multiple mode, the traffic uses the default sensor that is set on the AIP SSM. If you enter a name that
does not yet exist on the AIP SSM, you get an error, and the command is rejected.
(Optional) To divert another class of traffic to the AIP SSM, and set the IPS policy, enter the following
Step 4
commands:
hostname(config-pmap-c)# class class_map_name2
Cisco Security Appliance Command Line Configuration Guide
22-8
21-3.
Chapter 22
"Creating a Layer 3/4 Class Map for Through Traffic" section
Step
1.
for more details.
22-6). Use the mapped_name if configured in the context.
Managing the AIP SSM and CSC SSM
"Assigning Virtual
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
