Directing Traffic to the AIP-SSM

Step 1.

To classify how and what traffic will be forwarded to the AIP-SSM, configure a class map by using the class-map command. A class map named IPSclass is configured in this example to match all traffic passing through the security appliance:

Chicago# configure terminal Chicago(config)# class-map IPSclass Chicago(config-cmap)# match any  

Step 2.

Add a policy map with the policy-map command. A policy map named IPSpolicy is configured in this example:

Chicago(config)# policy-map IPSpolicy Chicago(config-pmap)#  

Step 3.

Associate the previously configured class map to the new policy map as follows:

Chicago(config-pmap)# class IPSclass  

Step 4.

Use the ips subcommand to specify the IPS mode of operation (inline vs. promiscuous) and what the failover mechanism will be. The command syntax is as follows:

ips {inline | promiscuous} {fail-close | fail-open}

In this example, the ASA is configured with the inline keyword placing the AIP-SSM directly in the traffic flow.

Chicago(config-pmap-c)# ips inline fail-close

The fail-close keyword is used in this example. This forces the ASA to block all traffic if the AIP-SSM fails.

Note

The AIP-SSM is not hot-swappable. You can shut down the module by using the hw-module module 1 shutdown command.

Step 5.

Activate the policy map globally or on one or more interfaces with the service-policy command. The command syntax is as follows:

service-policy policymap_name {global | interface interface_name}

The global keyword applies the policy to all interfaces. The interface keyword applies the policy to a specific interface. In this example, the policy is applied to the outside and dmz1 interfaces:

Chicago(config)# service-policy IPSpolicy interface outside Chicago(config)# service-policy IPSpolicy interface dmz1  

Note

Only one policy map can be applied to a specific interface.