Wednesday, March 18, 2009

You learn something new every day. Cisco ASA 5510 Lessons.

1. The IPS module is not configured by default to bind to an interface. Found at (in the ASDM) Configuration > IPS > Policies > IPS Policies. I created a new policy that is now bound to the backplane interface using a new set of Event Action Rules (see below), now the IPS is dropping packets and creating alerts as it should.

2. To allow Instant Messenger you need to do two things:
  1. Allow IM in the firewall class maps. Configuration > Firewall > Objects > Class Maps > IM > Add. From here you can allow Yahoo! or MSN IM if you use the default criterion. You can also use Services Criterion to block certain features of IM such as Chat, Conference, File Transfers, Games, Voice Chat and Web Cam.
  2. Tweak the IM rules in the IPS module to allow and deny the traffic that you want.

3. The email alerting is configured using both the IPS and Device Management sliders. Make sure that you can reach the email server's IP from your device or put in a static route to your email server, otherwise you will never get your email alerts :)

4. Event Action Rules are important to your IPS. They define the levels of risk and what to do with the three different levels: HIGHRISK, MEDIUMRISK, LOWRISK. Create your Event Action Rule and then use it via your IPS Policy.