Manualsbrain.com
  1. Manuales
  2. Marcas
  3. Cisco Systems
  4. and the ASA Services Module
  5. Manual De Usuario

Cisco Systems and the ASA Services Module Manual De Usuario

Descargar
Página de 712
 
31-26
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Configuration Examples for the ASA IPS module
Serial Number: JAB11370240
Firmware version: 1.0(14)3
Software version: 6.2(1)E2
MAC Address Range: 001d.45c2.e832 to 001d.45c2.e832
App. Name: IPS
App. Status: Up
App. Status Desc: Not Applicable
App. Version: 6.2(1)E2
Data plane Status: Up
Status: Up
Mgmt IP Addr: 209.165.201.29
Mgmt Network Mask: 255.255.224.0
Mgmt Gateway: 209.165.201.30
 
Mgmt Access List: 209.165.201.31/32
209.165.202.158/32
209.165.200.254/24
Mgmt Vlan: 20
The following is sample output from the show module ips command for an ASA 5525-X with an IPS 
SSP software module installed:
ciscoasa# show module ips
Mod Card Type                                    Model 
Serial No.
--- -------------------------------------------- -----------------------------
ips IPS 5525 Intrusion Protection System         IPS5525
FCH1504V03P
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
--- --------------------------------- ------------ ---------------------------
ips 503d.e59c.6f89 to 503d.e59c.6f89  N/A          N/A
7.1(1.160)E4
Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ------------------------------------------
ips IPS                            Up               7.1(1.160)E4
Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
ips Up                 Up
Mod License Name      License Status  Time Remaining
--- ----------------- --------------- ---------------
ips IPS Module        Enabled         7 days
Configuration Examples for the ASA IPS module
The following example diverts all IP traffic to the ASA IPS module in promiscuous mode, and blocks 
all IP traffic if the ASA IPS module card fails for any reason:
ciscoasa(config)# access-list IPS permit ip any any
ciscoasa(config)# class-map my-ips-class
ciscoasa(config-cmap)# match access-list IPS
ciscoasa(config-cmap)# policy-map my-ips-policy
ciscoasa(config-pmap)# class my-ips-class
ciscoasa(config-pmap-c)# ips promiscuous fail-close
ciscoasa(config-pmap-c)# service-policy my-ips-policy global
The following example diverts all IP traffic destined for the 10.1.1.0 network and the 10.2.1.0 network 
to the AIP SSM in inline mode, and allows all traffic through if the AIP SSM fails for any reason. For 
the my-ips-class traffic, sensor1 is used; for the my-ips-class2 traffic, sensor2 is used.
ciscoasa(config)# access-list my-ips-acl permit ip any 10.1.1.0 255.255.255.0
ciscoasa(config)# access-list my-ips-acl2 permit ip any 10.2.1.0 255.255.255.0