Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Configuring IP Audit for Basic IPS Support

28-5

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter28 Using Protection Tools

Configuring IP Audit for Basic IPS Support

Configuring IP Audit for Basic IPS Support

The IP audit feature provides basic IPS support for the ASA that does not have an AIP SSM. It supports

a basic list of signatures, and you can configure the ASA to perform one or more actions on traffic that

matches a signature.

This section includes the following topics:

•IP Audit Policy, page28-5

•Add/Edit IP Audit Policy Configuration, page28-5

•IP Audit Signatures, page 28-6

•IP Audit Signature List, page28-6

IP Audit Policy

The Configuration > Firewall > Advanced > IP Audit > IP Audit Policy pane lets you add audit policies

and assign them to interfaces. You can assign an attack policy and an informational policy to each

interface. The attack policy determines the action to take with packets that match an attack signature;

the packet might be part of an attack on your network, such as a DoS attack. The informational policy

determines the action to take with packets that match an informational signature; the packet is not

currently attacking your network, but could be part of an information-gathering activity, such as a port

sweep. For a complete list of signatures, see the IP Audit Signature List.

Fields

•Name—Shows the names of the defined IP audit policies. Although the default actions for a named

policy are listed in this table (“--Default Action--”), they are not named policies that you can assign

to an interface. Default actions are used by named policies if you do not set an action for the policy.

You can modify the default actions by selecting them and clicking the Edit button.

•Type—Shows the policy type, either Attack or Info.

•Action—Shows the actions taken against packets that match the policy, Alarm, Drop, and/or Reset.

Multiple actions can be listed.

•Add—Adds a new IP audit policy.

•Edit—Edits an IP audit policy or the default actions.

•Delete—Deletes an IP audit policy. You cannot delete a default action.

•Policy-to-Interface Mappings—Assigns an attack and informational policy to each interface.

–

Interface—Shows the interface name.

–

Attack Policy—Lists the attack audit policy names available. Assign a policy to an interface by

clicking the name in the list.

–

Info Policy—Lists the informational audit policy names available. Assign a policy to an

interface by clicking the name in the list.

Add/Edit IP Audit Policy Configuration

The Configuration > Firewall > Advanced > IP Audit > IP Audit Policy>

Add/Edit IPAudit Policy Configuration dialog box lets you add or edit a named IP audit policy that you

can assign to interfaces, and lets you modify the default actions for each signature type.

Cisco Systems Configuring IP Audit for Basic IPS Support

Models: ASA 5545-X ASA 5555-X ASA 5580 ASA 5585-X ASA Services Module ASA 5505

IP Audit Policy

Add/Edit IP Audit Policy Configuration