SSM IPS Configuration
I have a couple of questions regarding the ASA that deal with the SSM module.
I have read the document "Configuring ASA-SSM" and am confused by the command logic. I realize that you need to specify a service-policy globally that defines the traffic being sent to the SSM module. My concern is that the configuration document lists as one of it's steps to define an ACL for the IPS traffic and then apply it to an interface before configuring the class map, policy map, and service-policy. Why would this ACL need to be applied to an interface when it is being used for defining IPS traffic? Shouldn't the ASA send whatever traffic is defined globally in the service-policy to the SSM without attaching the ACL to an interface?
Also, on the ASA factory default configuration there is a service-policy defined as:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
But, if I define a global service-policy for the SSM I would lose this default service-policy as only one global service policy is allowed. Is the default service-policy providing the fixup protocol services as in the PIX that I am used to seeing? If so do I lose this functionality by applying a global service-policy for IPS/
Sorry for the length of the post and thanks for your help in advance.
The configuration in the IPS User's Guide is just one method for settings up the ASA to send packets to the SSM.
It is an extremely basic configuration on the ASA where all the ASA is doing is copying packets to the SSM and the ASA is not doing any of it's firewall functionality.
This configuration is only practical if the ASA was purchased and used only for housing the SSM and sending it traffic ( a rare deployment in the field ).
If your ASA is already configured for firewall functionality then the only additional command(s) that need to be added to your config are:
ips inline|promiscuous fail-open|fail-close
Take your existing policy-map and for every class in that policy you will need to decide if the traffic should be monitored promiscuously, inline, or not monitored by the SSM.
In your example, if you wanted to monitor all of the traffic inline on the SSM and want to continue passing traffic if the SSM fails. Then simply add the line "ips inline fail-open" within the existing "class inspection_default".
NOTE: If you change the policy you need to understand that the new policy will only affect new connections and not existing connections.
The only reason you would have to create additional acls and class maps using the acls would be if you did not want all of the traffic monitored inline by the SSM.
If you want different traffic monitored promiscuous and other inline (or not monitored), then you need to include additional classes in your policy-map so that a different ips configuration line can be added for each class.
Similar Messages
-
ASA SSM IPS module upgrade won't work
Hello all,
I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
I followed these steps provided by Cisco.com:
1. Log in to the ASA.
2. Enter enable mode:
asa# enable
3. Configure the recovery settings for ASA-SSM:
asa (enable)# hw-module module 1 recover configure
NOTE: If you make an error in the recovery configuration, use the
hw-module module 1 recover stop command to stop the system reimaging
and then you can correct the configuration.
4. Specify the TFTP URL for the system image:
Image URL [tftp://0.0.0.0/]:
Example:
Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
5. Specify the command and control interface of ASA-SSM:
Port IP Address [0.0.0.0]:
Example:
Port IP Address [0.0.0.0]: 11.21.31.41
6. Leave the VLAN ID at 0.
VLAN ID [0]:
7. Specify the default gateway of the ASA-SSM:
Gateway IP Address [0.0.0.0]:
Example:
Gateway IP Address [0.0.0.0]: 11.22.33.44
8. Execute the recovery:
asa# hw-module module 1 recover boot
9. Periodically check the recovery until it is complete.
NOTE: The status reads "Recovery" during recovery and reads "Up" when
reimaging is complete.
AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
I opened a Ciscop TAC on this and not receiving alot of help...
Please help!!!:)
Thanks
Chris Serafin
[email protected]The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
How long have you left the SSM in the "recovery" state?
There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
Execute "debug module-boot" on the console of the ASA.
The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
Some typical problems I have seen:
1) Wrong IP given for the sensor.
2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
5) The file name is wrong. Check the captialization especially.
6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
tftp://10.20.30.40/subdirectoryname/filename
7) The tftp is timing out.
There are 2 things that can cause this:
a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
It will stop the reboot cycle from happening.
Let the module come up with the old image.
Then correct your "recover configure" settings, and try the "recover boot" again.
Another alternative:
Stop the recovery "recover stop"
Let it boot into the old image.
If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
The "recover" from the ASA will wipe the box clean and load a fresh image.
The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
5.1 upgrade file:
IPS-K9-min-5.1-1g.pkg
http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM). -
CISCO 2851 with IPS configuration
Hi guys,i'm planning to do an IOS IPS configuration on a newly purchased 2851 router, the spec as below:
CISCO2851-HSEC/K9
CISCO 2800 AdvanceIPservice :Version 12.4(15)T10
64MB CF default
512DDR DRAM
My problem right now is,when i tried to configure the IPS feature,the SDM Express ver2.5 doesn't have the IPS tabs that allow me to configure. I noticed and highly suspected that is due to the express version of SDM,instead of the full/enhanced version of SDM. I tried download the full version SDM from Cisco,the file size is 14MB, and my current CF free space is only remaining 7MB.The IOS itself has used up 51MB. So i'm going to advice my customer that running IPS on the router is not possible due to the limited CF size. Can someone who experience in IPS correct me if i'm wrong. I'm fresh in security area.
PS:i know workaround is to installed CSM on a workstation then to configure and manage this router.
ThanksHi Collin,
Thank for your adviced.I did read thru the configuration that you posted. One line which i'm not clear about is that:
"copy flash:/IOS-S302-CLI.pkg idconf"
Where is this idconf?Is a flash folder or somewhere?why do we need to copy the signature file to this idconf? Or,my guess,is this idconf referred to "flash:/ips"?
regards, -
IPS configuration promiscus mode(fail-open) assistance/troubleshooting
Hi all ,
I have 2 ASA configured in active/standby failover mode. I want to configure IPS in promiscus mode with fail-open configuration.
i have not connected IPS with any pc through magmt port.
I can access IPS through ASA(5520) using session 1 and able to do basic configuration using setup.
after configuring when i try to login through ASA ASDM(IPS tab on home page of ASA ASDM) it ask for ip(managment or other ip).. I am trying to access the IPS with ip(192.168.3.74) configured in IPS using initial setup (192.168.3.74/27, 192.168.3.65) and also added access-list allowing 192.168.3.0/24.
ASA inside ip subnet:192.168.3.64/27
ASA DMZ ip subnet: 192.168.1.0/24
let me know if i need to assign IPS ip from dmz range or inside range?
Do i need to setup same IP for IPS in both ASA module?
Let me know if i can connect to IPS from ASA ASDM using some ip(192.168.3.74) configured through setup on 443 port.?
What access-list i should add in IPS or ASA if required?
While setting up IPS 1st time using setup command i am not able to see the unused/monitored interface(g0/1) so that i could add both interface, which should show as per cisco doc. what may be the reason?
IPS 6.0
ASA(5520) 7.24
ASDM 5.24
Regards
AmardeepYou need to configure the interface properly and plug it in the network.
The second interface is displayed different in the AIP-SSM, as this is a logal/internal connection to the ASA.
Regards
Farrukh -
Active-Standby SSM-IPS upgrade question
I have 2 ASA 5510's with ASA-SSM-10 IPS modules. The IPS's were running version 5.0.2, and I noticed this will not be supported for SIGS so I started to upgrade to version 5.1.1g. I got one unit upgraded and it seems to be fine, but the second still says it is running 5.0.2 and it will not let me login to it via CLI. When I for a failover the IPS always seems to be with the upgraded unit, so I can never get to my other IPS to upgrade it.
What did I do wrong?
Thanks,
DanWhen you say it will not let you login via CLI, what method of connection are you attempting? Are you telneting directly to the management IP of the second SSM, or sshing directly to the management IP of the second SSM, or sessioning through the console of the second ASA into the second SSM?
What if any errors are you seeing when trying to login?
When you say that you failover the IPS you can't get to the other IPS, to what are you referring?
The SSMs don't failover to each other. They do not share configuration, and should not share IP Addresses for their management IP. If you have configured the same IP for both SSMs, then you have a bad configuration. Each SSM needs their own independant IP Address. The SSMs should be managed as independant sensors. -
Correlating Cisco ASA-SSM-IPS Events/Logs
I have just configured a Cisco ASA-SSM-IPS10. An exciting feature of this decice is the ability to monitor, analyse, and correlate security events. Can anybody help with a documentation to simplify daily (or periodic) analysis, and correlation of the IPS Logs? As I am not yet to up to speed with this task yet, a "How-to" document would be just fine. Thank you.
Hi Chris,
Good to have you get on the case. I am yet to setup and ips manager software. Presently, I use an ASDM 6 interface, with this interface, I am able to view events and alerts, and perform other adminsitrative cores... The IPS manager express does it comes bundle with our device purchase? Does it contain necesary templates/docs for correlating events/Logs? -
Help with first time IPS configuration
I just installed an AIP-SSM module in our ASA 5520 firewall (protecting a school district). I successfully configured it to scan all traffic sent both directions with the following config:
access-list IPS extended permit ip any any
class-map ips-class
match access-list IPS
policy-map ips-policy
class ips-class
ips inline fail-open
no service-policy global_policy global
service-policy ips-policy global
I also configured it to Deny Attacker Inline when RR=75-100. Figured that was a simple configuration to get things started. However, we noticed that some websites were running very slowly after I implemented these settings. What is causing this?
I guess the other option would be to reconfigure to only scan incoming traffic initiated from the outside to help protect the district from incoming attacks. But I thought it would be more responsible of me to configure it to scan both ways to protect external hosts from an attack that a student could initiate from a school computer. Is this really necessary or am I creating headaches for myself?Thanks for your response. I found DocID 71204 and based on that I modified the IPS config as follows:
access-list IPS permit ip interface outside any
class-map ips-class
match access-list IPS
policy-map ips-policy
class ips-class
ips inline fail-open
service-policy global_policy global (put the default back)
service-policy ips-policy interface outside
But now the IPS doesn't appear to be doing anything, so I must have done something wrong. I modified signatures 2000 and 2004 with an RR=100 so that any incoming pings should be seen as a high-level attack and the incoming IP denied. If I go back to the original config this test works, but not with this config (which according to the Cisco doc should send any incoming traffic initiated from outside to the IPS). -
Hi all,
I am implementing IOS IPS on a 3800 router but I am not sure if when I enable it all the previous TCP sessions already active across the router will be dropped by the inpsect (because the IPS never saw when all those sessions started).
Any comments are really apreciated..Some clarifications:
1. the fail closed option by default is not configured. Default option is fail open.
2. Cisco has recommend signatures files (128MB.sdf and 256MB.sdf in 4.x signature format and has basic and advanced category (in 5.x signature format). Those are recommended starting point while configuring router based IOS IPS. It has about 300 and 500 signatures respectively.
3. If configured right, the above two set of signatures will take about 3 to 5 minutes to load and compile. And during the compilation process, the process cpu normally is high, but it wont affect data plane traffic passing the router.
Hope this helps,
-Chris -
SSM-IPS 6.03E1 unwanted blocking
Hi all,
I am doing some testing in the lab and came accross something that is interesting to me:
I enabled sigs 2000 and 2004 to test that the ips is inspecting the traffic and checked the action for those 2 sigs as producealert only. That worked well with informational alert sev. However, when raisng the sev to high the IPS starts blocking the icmp packets even though the action on the signature is only produce alert. Why is the IPS blocking such traffic? Am I missing something here. As always, help is appreciated.There is a default event-action-override for deny-packet-inline that gets added to all events with a Risk Rating of 90 or higher.
When running setup on the sensor, one of the last questions is "Modify default threat prevention settings?[no]".
If you answer "no" then the default remains active. Your 2000, and 2004 signatures will generate Risk Rating higher than 90 if you change the severity to high, and so will be automatically denied.
If you answer "yes" then you are provided to option to disable these default settings.
To see this setup option refer to step 20 of this section:
http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_initializing.html#wp1072155
To learn more about event action overrides refer to:
http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_event_action_rules.html#wp1085984 -
Dear boss
I have a ASA 5520 with IPS in my Data center. i am using it for routing and access list. it is running and my all 80 branches running on it.
now i want to enable IPS.
How i start it ?
when i click on IPS on graphic mood an it asking an IP. what it should be ?
what is the procedure ?
Is there any risk to enable it during business hour ?
please tell me details
Thanking You
shahidHi,
To know more details for configuring IPS in ASA Firewall the below URL will help you
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html
Regards,
MK -
Hi,
I'm trying to configure my 4 port IPS, and am running into some peculiar situations that I can't seem to find resolution on.
I want to dedicate 2 of the 4 ports for iSCSI and the other 2 for FCIP. I'd like to bond 2 ports to support one IP addr, but am having a hard time doing that as well. When I try to add a GE port to a channel, it gives me a port not compatible message. Could it possible that GE IPS ports cannot be added to a port channel? The Cisco guide is rather vague, as it only gives instructions on how to do it. Any insight would be helpful.
TIA.Ken,
The IPS-4 is End of Sale, I'm not sure about the IPS-8 but it may also be End of Sale. You are correct, for FCIP redundancy, the best option is to create multiple tunnels, each using 1 GE interface, and then port-channel them together. If possible, use GE ports on different line cards so that if a line card reloads (like during an upgrade) the entire port channel will not be affected. All GE ports will flap during upgrade, they are not 'non-disruptive', but if the FCIP port channel is spread across multiple line cards, it will stay up, while the individual links flap 1 at a time during the upgrade. As for iSCSI, the best option is to use iSLB and load balance multiple incoming iSCSI connection across several GE ports. There really is no longer a need to bundle the GE ports, as the only time it was useful was for iSCSI prior to the iSLB (which is iSCSI server load balancing).
Hope this helps,
Mike -
Can i know the link where i can get the guide how to work on IPS SSM 10 (cisco IDM 6.0)
Configuring the AIP-SSM, IPS CLI Config Guide v6.0
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliSSM.html
Troubleshooting the ASA AIP-SSM
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00808908d5.shtml
Sending traffic from ASA to AIP-SSM config example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
Deploying IPS using the AIP-SSM
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/white_paper_c11-459025_ps6120_Products_White_Paper.html
Getting started guide ASA v8.0 configuring the AIP-SSM
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
initialize the AIP-SSM
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliInit.html#wp1043876
installing the AIP-SSM system image
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliImage.html#wp1032373 -
AIP-SSM configured with event action "produce alert", but it drop packets
Hi, I configured an AIP-SSM IPS on event action for "Produce Alert", but when fire a signature, it drop the packets. So, what will be the problem?
Try these links:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/clievact.htm#wp1034058
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml -
How to change the default servcie port number to be checked for the IPS sig
Dear
i have an AIP-SSM (IPS) installed in a an ASA firewall.
i have configured an access-list in the firewall to forward the traffic coming from the internet toward the internal server to be checked by the IPS module.
but the case is that the services have to be checked is not the default services port numbers.
http port is 8081
oracle port is 2006
and many other services.
the question now, is how to change the default service number in the IPS in order to be checked by the corresponding service signatures?
ThanksYou would set those as part of the signature variables.
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_signature_definitions.html#wp1040009 -
Hello,
ASA Firewall is running in Active/Active mode. Below is the configuration of the firewall and IPS SSM module.
We are not getting event on IPS sensor when we type "show event alerts".
IPS configuration:
++++++++++++++++++++++
IPS1#
IPS1# sh configuration
! Current configuration last modified Tue Jul 02 07:19:13 2013
! Version 7.1(1)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S552.0 2011-03-07
service interface
exit
service authentication
exit
service event-action-rules rules0
exit
service host
network-settings
host-ip 10.15.1.58/28,10.15.1.57
host-name IPS1
telnet-option disabled
access-list 0.0.0.0/0
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
exit
time-zone-settings
offset 60
standard-time-zone-name GMT+03:00
exit
exit
service logger
exit
service network-access
exit
service notification
exit
service signature-definition sig0
exit
service ssh-known-hosts
exit
service trusted-certificates
exit
service web-server
exit
service anomaly-detection ad0
exit
service external-product-interface
exit
service health-monitor
exit
service global-correlation
exit
service analysis-engine
virtual-sensor vs1
description virtual-sensor-1
anomaly-detection
operational-mode learn
exit
physical-interface PortChannel0/0
exit
exit
IPS1#
ASA in system mode
+++++++++++++++++++++++++++++++++++++++
ASA-1/act/pri# sh run
: Saved
ASA Version 9.1(1) <system>
hostname ASA-1
enable password u14FkAnxI.kNNH7a encrypted
no mac-address auto
interface GigabitEthernet0/0
description LAN Failover Interface
interface GigabitEthernet0/1
description STATE Failover Interface
interface GigabitEthernet0/2
interface GigabitEthernet0/3
interface GigabitEthernet0/4
shutdown
interface GigabitEthernet0/5
shutdown
interface Management0/0
interface Management0/1
interface TenGigabitEthernet0/6
channel-group 20 mode active
interface TenGigabitEthernet0/7
channel-group 20 mode active
interface TenGigabitEthernet0/8
channel-group 10 mode active
interface TenGigabitEthernet0/9
channel-group 10 mode active
interface GigabitEthernet1/0
shutdown
interface GigabitEthernet1/1
shutdown
interface GigabitEthernet1/2
shutdown
interface GigabitEthernet1/3
shutdown
interface GigabitEthernet1/4
shutdown
interface GigabitEthernet1/5
shutdown
interface TenGigabitEthernet1/6
shutdown
interface TenGigabitEthernet1/7
shutdown
interface TenGigabitEthernet1/8
shutdown
interface TenGigabitEthernet1/9
shutdown
interface Port-channel10
interface Port-channel10.96
description "Inside-CTX-1"
vlan 96
interface Port-channel10.97
description "Inside-CTX-2"
vlan 97
interface Port-channel20
interface Port-channel20.98
description "Outside-CTX-1"
vlan 98
interface Port-channel20.99
description "Outside-CTX-2"
vlan 99
class default
limit-resource All 0
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
pager lines 24
failover
failover lan unit primary
failover lan interface FOL GigabitEthernet0/0
failover link STATEFULL-LINK GigabitEthernet0/1
failover interface ip FOL 10.15.1.33 255.255.255.252 standby 10.15.1.34
failover interface ip STATEFULL-LINK 10.15.1.37 255.255.255.252 standby 10.15.1.38
failover group 1
preempt
failover group 2
secondary
preempt
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
console timeout 0
tls-proxy maximum-session 1000
admin-context admin
context admin
allocate-ips vs0 adminvs0
config-url disk0:/admin.cfg
context arm-1
description ARM-1
allocate-interface Management0/0 MGT
allocate-interface Port-channel10.96 inside
allocate-interface Port-channel20.98 outside
allocate-ips vs1 arm-1vs1
config-url disk0:/arm-1_Context.cfg
join-failover-group 1
context arm-2
description ARM-2
allocate-interface Management0/1 MGT
allocate-interface Port-channel10.97 inside
allocate-interface Port-channel20.99 outside
allocate-ips vs1 arm-2vs1
config-url disk0:/arm-2_Context.cfg
join-failover-group 2
prompt hostname context state priority
no call-home reporting anonymous
Cryptochecksum:ad532251aad3ca65f6da8f1ff0762816
ASA in one arm context mode
+++++++++++++++++++++++++++++++++++++++
ASA-1/arm-1/act/pri# sh run
: Saved
ASA Version 9.1(1) <context>
firewall transparent
hostname arm-1
enable password u14FkAnxI.kNNH7a encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface BVI1
ip address 10.15.1.57 255.255.255.240
interface MGT
management-only
nameif management
security-level 0
ip address 10.14.1.9 255.255.255.0 standby 10.14.1.10
interface inside
nameif inside
bridge-group 1
security-level 100
interface outside
nameif outside
bridge-group 1
security-level 0
access-list global extended permit ip any any
access-list out extended permit ip any any
access-list in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group in in interface inside
access-group out in interface outside
route inside 10.0.0.0 255.255.0.0 10.15.1.51 1
route inside 10.0.10.45 255.255.255.255 10.15.1.51 1
route outside 10.11.0.0 255.255.0.0 10.15.1.53 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
no threat-detection statistics tcp-intercept
username admin password fMQ/rjnxl9Vwe9mv encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
class-map any
match access-list global
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map IPS
class any
ips promiscuous fail-open sensor arm-1vs1
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
service-policy IPS interface outside
Cryptochecksum:00b87b7c25f21d91cf5b90cb18c4d745
: end
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Why we are not able to see any event on IPS. As MPF is configured on ASA and that ACL is gettin hit count?
Regards,In the CLI enter the following command to see if any signatures are triggering, it could just be that you haven't had the right combination of signatures trigger to cause an actual event:
show stat virtual-sensor | begin Per-Signature
You could also enable Signature 2000 and that will usually generate events in a short time to ensure you have traffic configured correctly for inspection by the IDS.
Maybe you are looking for
-
Adobe Premiere CS5 and Open Directory users - Premiere fails to start
We have several class rooms with desktops that are configured for Open Directory. When a student logs in he's actually working in his home folder on the server and his user is also managed by the server. This works fine for all the applications that
-
Hi, I'd like to ask why iTunes uses approximately 40 MB of RAM and has two helper programs, iTunesHelper and iPodService each using 4 MB of RAM running? What do iTunesHelper and iPodService do? How can I disable features of iTunes that take up extra
-
How to turn off brush size dialog when holdng stylus on tablet.
Yesterday I signed up to try the latest version of Photoshop (CC) from previously working in CS6. There is a new behavior that when I hold down my stylus for more than a half-second or so on my tablet, a swirling circle icon appears and then a floati
-
Incorporating PowerPoint 2008 slides into GarageBand
Does anyone know if its possible to incorporate PowerPoint slides into a Garageband podcast? I haven't used GarageBand and am helping a user create a podcast but wants to use PowerPoint slides in his podcast for ITunesU. What is a good video/audio pr
-
I'm starting this thread as a repository of links to threads that were originally posted on the wrong board. An "incorrect board post" qualifies for deletion if it was reposted to the correct board where it received a decent answer, and the original