Filter
Top Products
Chapter 9 Configuring the AIP SSM
AIP SSM Configuration
9-4
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
78-17611-01
The inline and promiscuous keywords control the operating mode of the AIP
SSM. The fail-close and fail-open keywords control how the adaptive security
appliance treats traffic when the AIP SSM is unavailable. For more information
about the operating modes and failure behavior, see the “AIP SSM Configuration”
section on page 9-1.
Step 7 Use the service-policy command to apply the policy map globally or to a specific
interface, as follows:
hostname(config-pmap-c)# service-policy policy_map_name [global |
interface interface_ID]
hostname(config)#
where policy_map_name is the policy map you configured in Step 4. If you want
to apply the policy map to traffic on all the interfaces, use the global keyword. If
you want to apply the policy map to traffic on a specific interface, use the
interface interface_ID option, where interface_ID is the name assigned to the
interface with the nameif command.
Only one global policy is allowed. You can override the global policy on an
interface by applying a service policy to that interface. You can only apply one
policy map to each interface.
The adaptive security appliance begins diverting traffic to the AIP SSM as
specified.
The following example diverts all IP traffic to the AIP SSM in promiscuous mode,
and blocks all IP traffic should the
AIP SSM card fail for any reason:
hostname(config)# access-list IPS permit ip any any
hostname(config)# class-map my-ips-class
hostname(config-cmap)# match access-list IPS
hostname(config-cmap)# policy-map my-ids-policy
hostname(config-pmap)# class my-ips-class
hostname(config-pmap-c)# ips promiscuous fail-close
hostname(config-pmap-c)# service-policy my-ips-policy global