Cisco ASA 5505 User Manual
Page 1236
58-16
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 58 Configuring the ASA IPS Module
Configuring the ASA IPS module
Detailed Steps
Command
Purpose
Step 1
context
name
Example:
hostname(config)# context admin
hostname(config-ctx)#
Identifies the context you want to configure. Enter this command in
the system execution space.
Step 2
allocate-ips
sensor_name [mapped_name]
[default]
Example:
hostname(config-ctx)# allocate-ips
sensor1 highsec
Enter this command for each sensor you want to assign to the context.
The sensor _name argument is the sensor name configured on the
ASA IPS module. To view the sensors that are configured on the ASA
IPS module, enter allocate-ips ?. All available sensors are listed. You
can also enter the show ips command. In the system execution space,
the show ips command lists all available sensors; if you enter it in the
context, it shows the sensors you already assigned to the context. If
you specify a sensor name that does not yet exist on the ASA IPS
module, you get an error, but the allocate-ips command is entered as
is. Until you create a sensor of that name on the ASA IPS module, the
context assumes the sensor is down.
Use the mapped_name argument as an alias for the sensor name that
can be used within the context instead of the actual sensor name. If
you do not specify a mapped name, the sensor name is used within
the context. For security purposes, you might not want the context
administrator to know which sensors are being used by the context.
Or you might want to genericize the context configuration. For
example, if you want all contexts to use sensors called “sensor1” and
“sensor2,” then you can map the “highsec” and “lowsec” sensors to
sensor1 and sensor2 in context A, but map the “medsec” and
“lowsec” sensors to sensor1 and sensor2 in context B.
The default keyword sets one sensor per context as the default
sensor; if the context configuration does not specify a sensor name,
the context uses this default sensor. You can only configure one
default sensor per context. If you want to change the default sensor,
enter the no allocate-ips sensor_name command to remove the
current default sensor before you allocate a new default sensor. If you
do not specify a sensor as the default, and the context configuration
does not include a sensor name, then traffic uses the default sensor as
specified on the ASA IPS module.
Step 3
changeto context
context_name
Example:
hostname# changeto context customer1
hostname/customer1#
Changes to the context so you can configure the IPS security policy
as described in
“Diverting Traffic to the ASA IPS module” section on
.