Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual page 260
Configuration guide
Hide thumbs
Also See for 4215 - Intrusion Detection Sys Sensor:
- Hardware installation manual (74 pages)
Table of Contents
Advertisement
Sending Traffic to AIP-SSM
–
To send traffic from ASA to AIP-SSM for the IPS to inspect, follow these steps:
Log in to ASA.
Step 1
Enter configuration mode:
Step 2
asa# configure terminal
Create an IPS access list:
Step 3
asa(config)# access-list IPS permit ip any any
Step 4
Define the IPS traffic class:
asa(config)# class-map class_map_name
asa(config-cmap)# match [access-list | any]
Define the IPS policy map:
Step 5
asa(config-cmap)# policy-map policy_map_name
Identify the class map from Step 4 to which you want to assign an action:
Step 6
asa(config-pmap)# class class_map_name
Assign traffic to AIP-SSM:
Step 7
asa(config-pmap-c)# ips [inline | promiscuous] [fail-close | fail-open]
Define the IPS service policy:
Step 8
asa(config-pmap-c)# service-policy policymap_name [global | interface interface_name]
Step 9
Verify the settings:
asa(config-pmap-c)# show running-config
!
class-map my_ips_class
class-map my-ips-class
match access-list IPS
class-map all_traffic
match access-list all_traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map my-ids-policy
class my-ips-class
ips promiscuous fail-close
!
service-policy my-ids-policy global
Exit and save the configuration:
Step 10
asa(config-pmap-c)# exit
asa(config-pmap)# exit
asa(config)# exit
asa#
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
14-4
Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
interface—Applies the policy to one interface.
Chapter 14
Configuring AIP-SSM
78-16527-01
Advertisement
Table of Contents
Troubleshooting
