Configuring Asa To Send Ips Traffic To Aip-Ssm - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Chapter 14 Configuring AIP-SSM
On ASA, to identify traffic to be diverted to and inspected by AIP-SSM:
1.
2.
3.

Configuring ASA to Send IPS Traffic to AIP-SSM

For more information on these commands, refer to Chapter 18, "Using Modular Policy Framework," in
Note
Cisco Security Appliance Command Line Configuration
The following options apply:
•
•
•
•
•
•
78-16527-01
Use the class-map command to define the IPS traffic class.
Use the policy-map command to create an IPS policy map by associating the traffic class with one
or more actions.
Use the service-policy command to create an IPS security policy by associating the policy map with
one or more interfaces.
You can use the ASA CLI or ASDM to configure IPS traffic inspection.
access-list word—Configures an access control element; word is the access list identifier (up to 241
characters).
class-map class_map_name—Defines the IPS traffic class.
match—Identifies the traffic included in the traffic class.
A traffic class map contains a match command. When a packet is matched against a class map, the
match result is either a match or a no match.
– access-list—Matches an access list.
– any—Matches any packet.
policy-map policy_map_name—Creates an IPS policy map by associating the traffic class with one
or more actions.
ips [inline | promiscuous] [fail-close | fail-open]—Assigns traffic to AIP-SSM:
inline—Places AIP-SSM directly in the traffic flow.
–
No traffic can continue through ASA without first passing through, and being inspected by,
AIP-SSM. This mode is the most secure because every packet is analyzed before being
permitted through. Also, AIP-SSM can implement a blocking policy on a packet-by-packet
basis. This mode, however, can affect throughput.
promiscuous—Sends a duplicate stream of traffic to AIP-SSM.
–
This mode is less secure, but has little impact on traffic throughput. Unlike inline mode,
AIP-SSM can only block traffic by instructing ASA to block the traffic or by resetting a
connection on ASA. Moreover, while AIP-SSM is analyzing the traffic, a small amount of
traffic might pass through ASA before AIP-SSM can block it.
fail-close—Sets ASA to block all traffic if AIP-SSM is unavailable.
–
fail-open—Sets ASA to permit all traffic through, uninspected, if AIP-SSM is unavailable.
–
service-policy service_policy_name [global | interface interface_name]—Creates an IPS security
policy by associating the policy map with one or more interfaces.
global—Applies the policy map to all interfaces.
–
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
Sending Traffic to AIP-SSM
Guide.
14-3