This section covers how to configure the Cisco ASA to direct traffic to the AIP-SSM for inline and promiscuous modes. The following steps specify how traffic will be forwarded to the AIP-SSM:
Step 1. |
To classify how and what traffic will be forwarded to the AIP-SSM, configure a class map by using the class-map command. A class map named IPSclass is configured in this example to match all traffic passing through the security appliance: Chicago# configure terminal Chicago(config)# class-map IPSclass Chicago(config-cmap)# match any |
Step 2. |
Add a policy map with the policy-map command. A policy map named IPSpolicy is configured in this example: Chicago(config)# policy-map IPSpolicy Chicago(config-pmap)# |
Step 3. |
Associate the previously configured class map to the new policy map as follows: Chicago(config-pmap)# class IPSclass |
Step 4. |
Use the ips subcommand to specify the IPS mode of operation (inline vs. promiscuous) and what the failover mechanism will be. The command syntax is as follows: ips {inline | promiscuous} {fail-close | fail-open} In this example, the ASA is configured with the inline keyword placing the AIP-SSM directly in the traffic flow. Chicago(config-pmap-c)# ips inline fail-close The fail-close keyword is used in this example. This forces the ASA to block all traffic if the AIP-SSM fails. Note The AIP-SSM is not hot-swappable. You can shut down the module by using the hw-module module 1 shutdown command. |
Step 5. |
Activate the policy map globally or on one or more interfaces with the service-policy command. The command syntax is as follows: service-policy policymap_name {global | interface interface_name} The global keyword applies the policy to all interfaces. The interface keyword applies the policy to a specific interface. In this example, the policy is applied to the outside and dmz1 interfaces: Chicago(config)# service-policy IPSpolicy interface outside Chicago(config)# service-policy IPSpolicy interface dmz1 Note Only one policy map can be applied to a specific interface. |
Part I: Product Overview
Introduction to Network Security
Product History
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
IP Routing
Authentication, Authorization, and Accounting (AAA)
Application Inspection
Security Contexts
Transparent Firewalls
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM
Case Studies