Support User Manuals

Cisco Systems ASA 5500 Security Camera User Manual

Open as PDF

of 62

49

Step 2

To add or edit a policy map that sets the actions to take with the class map traffic, enter the

following command:

hostname(config)# policy-map name

Step 3 To identify the class map from Step 1 to which you want to assign an action, enter the

following command:

hostname(config-pmap)# class class_map_name

Step 4 To assign traffic to the AIP SSM, enter the following command:

hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close | fail-open}

Where the inline keyword places the AIP SSM directly in the traffic flow. No traffic can

continue through the security appliance without first passing through, and being inspected by,

the AIP SSM. This mode is the most secure because every packet is analyzed before being

allowed through. Also, the AIP SSM can implement a blocking policy on a packet-by-packet

basis. This mode, however, can affect throughput.

The promiscuous

keyword sends a duplicate stream of traffic to the AIP SSM. This mode is

less secure, but has little impact on traffic throughput. Unlike inline mode, the AIP SSM can

only block traffic by instructing the security appliance to shun

the traffic or by resetting a

connection on the security appliance. Moreover, while the AIP SSM is analyzing the traffic, a

small amount of traffic might pass through the security appliance before the AIP SSM can

block it.

The fail-close

keyword sets the security appliance to block all traffic if the AIP SSM is

unavailable.

The fail-open keyword sets the security appliance to allow all traffic through, uninspected, if

the AIP SSM is unavailable.

Step 5 To activate the policy map on one or more interfaces, enter the following command:

hostname(config)# service-policy policymap_name {global | interface

interface_name}

Where global applies the policy map to all interfaces, and interface applies the policy to one

interface. Only one global policy is allowed. You can override the global policy on an interface

by applying a service policy to that interface. You can only apply one policy map to each

interface.

The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP

traffic should the

AIP SSM card fail for any reason:

hostname(config)# access-list IPS permit ip any any

hostname(config)# class-map my-ips-class

previous next