Directing Traffic to the AIP-SSM

This section covers how to configure the Cisco ASA to direct traffic to the AIP-SSM for inline and promiscuous modes. The following steps specify how traffic will be forwarded to the AIP-SSM:

Step 1.

To classify how and what traffic will be forwarded to the AIP-SSM, configure a class map by using the class-map command. A class map named IPSclass is configured in this example to match all traffic passing through the security appliance:

Chicago# configure terminal

Chicago(config)# class-map IPSclass

Chicago(config-cmap)# match any

Step 2.

Add a policy map with the policy-map command. A policy map named IPSpolicy is configured in this example:

Chicago(config)# policy-map IPSpolicy


Step 3.

Associate the previously configured class map to the new policy map as follows:

Chicago(config-pmap)# class IPSclass

Step 4.

Use the ips subcommand to specify the IPS mode of operation (inline vs. promiscuous) and what the failover mechanism will be. The command syntax is as follows:

ips {inline | promiscuous} {fail-close | fail-open}

In this example, the ASA is configured with the inline keyword placing the AIP-SSM directly in the traffic flow.
Chicago(config-pmap-c)# ips inline fail-close

The fail-close keyword is used in this example. This forces the ASA to block all traffic if the AIP-SSM fails.


The AIP-SSM is not hot-swappable. You can shut down the module by using the hw-module module 1 shutdown command.

Step 5.

Activate the policy map globally or on one or more interfaces with the service-policy command. The command syntax is as follows:

service-policy policymap_name {global | interface interface_name}

The global keyword applies the policy to all interfaces. The interface keyword applies the policy to a specific interface. In this example, the policy is applied to the outside and dmz1 interfaces:
Chicago(config)# service-policy IPSpolicy interface outside

Chicago(config)# service-policy IPSpolicy interface dmz1


Only one policy map can be applied to a specific interface.

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231 © 2008-2020.
If you may any questions please contact us: