Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 manual 19-3, hostnameconfig# access-listIPS permit ip any any

Models: ASA 5500

1 16
Download 16 pages 52 Kb
Page 3
Image 3
hostname(config)# access-list IPS permit ip any any

Chapter 19 Managing the AIP SSM and CSC SSM

Managing the AIP SSM

Step 2 Create a class map to identify the traffic that should be diverted to the AIP SSM. Use the class-mapcommand to do so, as follows:

hostname(config)# class-mapclass_map_name hostname(config-cmap)#

where class_map_name is the name of the traffic class. When you enter the class-mapcommand, the CLI enters class map configuration mode.

Step 3 With the access list you created in Step 1, use a match access-listcommand to identify the traffic to be scanned:

hostname(config-cmap)# match access-listacl-name

Step 4 Create a policy map or modify an existing policy map that you want to use to send traffic to the AIP SSM. To do so, use the policy-mapcommand, as follows.

hostname(config-cmap)# policy-mappolicy_map_name hostname(config-pmap)#

where policy_map_name is the name of the policy map. The CLI enters the policy map configuration mode and the prompt changes accordingly.

Step 5 Specify the class map, created in Step 2, that identifies the traffic to be scanned. Use the class command to do so, as follows.

hostname(config-pmap)# class class_map_name hostname(config-pmap-c)#

where class_map_name is the name of the class map you created in Step 2. The CLI enters the policy map class configuration mode and the prompt changes accordingly.

Step 6 Assign the traffic identified by the class map as traffic to be sent to the AIP SSM. Use the ips command to do so, as follows.

hostname(config-pmap-c)#ips {inline promiscuous} {fail-close fail-open}

The inline and promiscuous keywords control the operating mode of the AIP SSM. The fail-closeand fail-openkeywords control how the adaptive security appliance treats traffic when the AIP SSM is unavailable. For more information about the operating modes and failure behavior, see the “About the AIP SSM” section on page 19-1.

Step 7 Use the service-policycommand to apply the policy map globally or to a specific interface, as follows:

hostname(config-pmap-c)#service-policy policy_map_name [global interface interface_ID]

hostname(config)#

where policy_map_name is the policy map you configured in Step 4. If you want to apply the policy map to traffic on all the interfaces, use the global keyword. If you want to apply the policy map to traffic on

aspecific interface, use the interface interface_ID option, where interface_ID is the name assigned to the interface with the nameif command.

Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.

The adaptive security appliance begins diverting traffic to the AIP SSM as specified.

The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic should the AIP SSM card fail for any reason:

hostname(config)# access-list IPS permit ip any any

hostname(config)# class-map my-ips-class

Cisco Security Appliance Command Line Configuration Guide

 

OL-8629-01

19-3

 

 

 

Page 2 Page 4
Page 3
Image 3
Cisco Systems ASA 5500 19-3, hostnameconfig# access-listIPS permit ip any any, hostnameconfig# class-map my-ips-class
Page 2 Page 4