Cisco Cisco ASA 5520 Adaptive Security Appliance 技术手册
ASA: Send Network Traffic from the ASA to the AIP
SSM Configuration Example
SSM Configuration Example
Document ID: 71204
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Configure
Network Diagram
Initial Configurations
Inspect All Traffic with the AIP−SSM in inline or promiscous mode
Inspect All Traffic with the AIP−SSM using ASDM
Inspect Specific Traffic with the AIP−SSM
Exclude specific network traffic from AIP−SSM scanning
Verify
Troubleshoot
Problems with Failover
Error Messages
Syslog Support
AIP−SSM Reboot
AIP−SSM Email Alert
Related Information
Prerequisites
Requirements
Components Used
Conventions
Configure
Network Diagram
Initial Configurations
Inspect All Traffic with the AIP−SSM in inline or promiscous mode
Inspect All Traffic with the AIP−SSM using ASDM
Inspect Specific Traffic with the AIP−SSM
Exclude specific network traffic from AIP−SSM scanning
Verify
Troubleshoot
Problems with Failover
Error Messages
Syslog Support
AIP−SSM Reboot
AIP−SSM Email Alert
Related Information
Introduction
This document provides a sample configuration for how to send network traffic that passes through the Cisco
ASA 5500 Series Adaptive Security Appliance (ASA) to the Advanced Inspection and Prevention Security
Services Module (AIP−SSM) (IPS) module. Configuration examples are provided with the command line
interface (CLI).
ASA 5500 Series Adaptive Security Appliance (ASA) to the Advanced Inspection and Prevention Security
Services Module (AIP−SSM) (IPS) module. Configuration examples are provided with the command line
interface (CLI).
Refer to ASA: Send Network Traffic from the ASA to the CSC−SSM Configuration Example in order to send
network traffic from the Cisco ASA 5500 Series Adaptive Security Appliance (ASA) to the Content Security
and Control Security Services Module (CSC−SSM).
network traffic from the Cisco ASA 5500 Series Adaptive Security Appliance (ASA) to the Content Security
and Control Security Services Module (CSC−SSM).
Refer to Assigning Virtual Sensors to a Security Context (AIP SSM Only) for more information on how to
send network traffic that passes through the Cisco ASA 5500 Series Adaptive Security Appliance (ASA) in
multiple context mode to the Advanced Inspection and Prevention Security Services Module (AIP−SSM)
(IPS) module.
send network traffic that passes through the Cisco ASA 5500 Series Adaptive Security Appliance (ASA) in
multiple context mode to the Advanced Inspection and Prevention Security Services Module (AIP−SSM)
(IPS) module.
Note: Network traffic that traverses the ASA includes internal users who access the Internet or Internet users
who access resources protected by ASA in a demilitarized zone (DMZ) or inside network. Network traffic
sent to and from the ASA is not sent to the IPS module for inspection. An example of traffic not sent to the
IPS module includes pinging (ICMP) the ASA interfaces or Telnetting to the ASA.
who access resources protected by ASA in a demilitarized zone (DMZ) or inside network. Network traffic
sent to and from the ASA is not sent to the IPS module for inspection. An example of traffic not sent to the
IPS module includes pinging (ICMP) the ASA interfaces or Telnetting to the ASA.
Note: Modular Policy Framework used by the ASA in order to classify traffic for inspection does not support
IPv6. So if you divert the IPv6 traffic to the AIP SSM through ASA, it is not supported.
IPv6. So if you divert the IPv6 traffic to the AIP SSM through ASA, it is not supported.