Directing Traffic to the AIP-SSM

This section covers how to configure the Cisco ASA to direct traffic to the AIP-SSM for inline and promiscuous modes. The following steps specify how traffic will be forwarded to the AIP-SSM:

Step 1.

To classify how and what traffic will be forwarded to the AIP-SSM, configure a class map by using the class-map command. A class map named IPSclass is configured in this example to match all traffic passing through the security appliance:

Chicago# configure terminal

Chicago(config)# class-map IPSclass

Chicago(config-cmap)# match any

Step 2.

Add a policy map with the policy-map command. A policy map named IPSpolicy is configured in this example:

Chicago(config)# policy-map IPSpolicy


Step 3.

Associate the previously configured class map to the new policy map as follows:

Chicago(config-pmap)# class IPSclass

Step 4.

Use the ips subcommand to specify the IPS mode of operation (inline vs. promiscuous) and what the failover mechanism will be. The command syntax is as follows:

ips {inline | promiscuous} {fail-close | fail-open}

In this example, the ASA is configured with the inline keyword placing the AIP-SSM directly in the traffic flow.
Chicago(config-pmap-c)# ips inline fail-close

The fail-close keyword is used in this example. This forces the ASA to block all traffic if the AIP-SSM fails.


The AIP-SSM is not hot-swappable. You can shut down the module by using the hw-module module 1 shutdown command.

Step 5.

Activate the policy map globally or on one or more interfaces with the service-policy command. The command syntax is as follows:

service-policy policymap_name {global | interface interface_name}

The global keyword applies the policy to all interfaces. The interface keyword applies the policy to a specific interface. In this example, the policy is applied to the outside and dmz1 interfaces:
Chicago(config)# service-policy IPSpolicy interface outside

Chicago(config)# service-policy IPSpolicy interface dmz1


Only one policy map can be applied to a specific interface.

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231
Simiral book on Amazon © 2008-2017.
If you may any questions please contact us: