AIP - SSM Int gig0/0

Similar Questions

• (ASA) AIP - SSM 10 Inline; Supreme events?

  A 5520 ASA with SSM-10 GOAL is set to inline mode, but the events of the show for 2 hours (sensor > HS event past 02:00) of the Interior of the sensor shows and "promicuous mode", "left promicuous mode'."

  This AIP SSM - 10 has only one gig0/0 and gig0/1 where o/o is taken out of service and a value default virtual sensor (vs0) is assigned to gig0/1. I see the statistics (sensor > sh SEO-engine of analysis) to gig0/1 so I collect statistics.

  If the configuration of the ASA 5520 has the following policy of inline and events log shows that enter and exit in promiscuous mode so how do I check if I am inspection/recovery in inline mode?

  (ASA > sh run access-list IPS)

  IPS list extended access permitted ip DMZ 255.255.255.0 26.26.1.0 255.255.255.0

  (ASA > sh run | b class-map)

  class-map IPS

  corresponds to the IP access list

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  inspect the waas

  inspect the icmp

  class IPS

  IPS inline help

  !

  global service-policy global_policy

  (sensor > sh interfaces)

  ...

  Statistics interface GigabitEthernet0/1 MAC

  Function of interface = interface detection

  Description =

  Support type = backplane

  By default Vlan = 0

  Inline = unpaired mode

  Pair of status = n/a

  Circumvention of Capable hardware = no.

  Twin derivation material = n/a

  Link status = upwards

  Link speed = Auto_1000

  Link Duplex = Auto_Full

  Lack of Packet percentage = 0

  Total packets received = 95044

  Total number of bytes received = 8715230

  Total multicast packets received = 0

  Total of broadcast packets received = 0

  Total fat packets received = 0

  Total sousdimensionnés packets received = 0

  Receive the total errors = 0

  Receive FIFO overruns total = 0

  Total packets transmitted = 95044

  Total number of bytes sent = 9047702

  Total multicast packets sent = 0

  Total broadcast packets sent = 0

  Total fat transmitted packets = 0

  Total packets transmitted sousdimensionnés = 0

  Total transmit errors = 0

  Total transmit FIFO overruns = 0

  sensor > sh events last 02:00

  evStatus: eventId = 1203360411830836145 = Cisco vendor

  Author:

  login host: ASA2_IPS

  appName: kernel

  appInstanceId:

  time: 2008-02-20 19:01:46 2008/02/20 19:01:46 UTC

  syslogMessage:

  Description: device ge0_1 entered promiscuous mode

  evStatus: eventId = 1203360411830836146 = Cisco vendor

  Author:

  login host: ASA2_IPS

  appName: kernel

  appInstanceId:

  time: 2008-02-20 19:01:53 2008/02/20 19:01:53 UTC

  syslogMessage:

  Description: the promiscuous mode device ge0_1 left

  The left State events and entered promiscuous mode are usually generated when you do a 'package of display' or 'the capture of packets' command on the CLI of the sensor.

  Track order of the package is promiscuity but is independent of promiscuity or inline followed by analysis of the probe engine.

  If you have inline monitoring using the probe analysis engine.

  And still make command package to the cli for your own monitoring promiscuity of those same packets. Here are 2 independent monitors of the same packages.

  If I remember right inline monitored packets always get returned to the ASA (unless expressly denied), which is not promiscuous packets. So check sensors gig0/1 interface statistics and the number of packets for transmission. If receive and transmit accounts are quite close, then packets are monitored by the analytical engine InLine. If the number of transmission is nil or very low then the packets are likely promiscuous monitored.

  With the configuration of your ASA you are correctly configured for online tracking.

  So I don't think that you are investigating inline, and status messages are specific to your start and stop of the command 'package' on the CLI for your own independent viewing packages promiscuity.

• Physical connectivity of ASA AIP - SSM

  How the physical connectivity of ASA AIP - SSM should be in the case of inline interface mode of inspection for all interfaces of the firewall. ?

  Rgds.

  Assuming that 'interface_policy' has "inline ips" in the policy, then yes your configuration is correct.

  Keep in mind that 'GigabitEthernet0/1' being assigned to vs0 is the background interface of basket of the MSS itself and should not be confused with the external interface GigabitEthernet0/1 of the SAA.

  As for using several virtual probes, it is a personal choice.

  When you use an ASA with just a single context, then usually a single virtual sensor is sufficient. It's only when you want to follow for traffic coming from firewall interfaces (or different classes of traffic) If you want to use several different virtual devices.

  However, when you use an ASA with multiple security contexts, then it is usually a good idea to go and use a virtual sensor separate from the context of the ASA.

  If you choose to use several virtual devices, you must understand that the background basket interface GigabitEthernet0/1 are only awarded to only 1 virtual sensors.

  Here is an explanation of how the other virtual sensors would get traffic:

  When packets are sent to DFS for monitoring ASA, ASA includes a special header in each packet. Special information such as the framework of the SAA whence the package, the real and NAT/PAT package addresses, and a few other things. An important field of this header is for the virtual sensor. He tells the SSM which virtual sensor must monitor this package.

  When the ASA is configured without using the names of virtual sensor, this is a virtual sensor in the package header field is blank. If the SSM sees a package with the field left blank it will check the DFS configuration to see which virtual sensor GigabitEthernet0/1 of the SSM has been assigned and that sends the packets to the virtual sensor.

  If ASA has been configured to send the packet to a specific virtual sensor (be it by adding the name of virtual sensor at the end of the "inline ips" entered configuration or by using the configuration entries "allocate ips" in the context of system configuration) then the ASA will include the virtual sensor in the header of the packet. The SSM will read in this area, and instead to send the virtual sensor where Gig0/1 is assigned, it will rather send to virtual sensor specified in the header of the packet.

  Indeed, it overrides the assignment Gig0/1 and will lead to what ever virtual sensor has been specified by the configuration of the SAA.

• The AIP - SSM to unused ASA connection interface

  Hi people,

  Perhaps, someone has already raised this issue, but I was unable to find anything relevant. We have an ASA with an unused interface (gig0/3). The sensor of the AIP - SSM is physically connected to this interface with the following IP settings:

  Sensor (192.168.2.2/30,192.168.2.1)---interface ASA (192.168.2.1/30)

  It's basically point to point connectivity, and I can reach the ASA of the sensor and the other way around.

  This design is dictated by the lack of a free port on the switch.

  Technically, it should work without any problems, but I can't seem to be able to reach the sensor. There is a switch between my PC and the sensor and the switch has the corresponding static route added. I can reach the switch sensor.

  Is there a security feature hidden I don't know that prevent communication with the sensor.

  And ACL of the sensor allows the traffic to all networks (0.0.0.0/0)

  With the sensor acl set to 0.0.0.0/0, the sensor must be allowing connectivity.

  You can use the 'View of package' command on the sensor to look at packets on the interface command and control to see if the packets are what makes the sensor.

  You say that you have a static route on your switch for the switch reach your sensor. Do you know if your PC is configured to use the switch as the computer's default router. If the PC is to use a different default router, then the other router should also the static route.

  The other possibility is that the SAA itself can be deny traffic.

  Since this is an ASA connected to the MSS interface, the traffic must be routed through the ASA. Standard firewall rules apply to this traffic. The security level of the interfaces can prevent traffic, and an ACL may be necessary in order to allow the circulation of your PC be routed to the SSM.

  NOTE: If you don't want to have to worry about roads, the other alternative is to make the network between the ASA and SSM to be an isolated network that only 2 machines know.

  You can then use PAT static to map a port on the inside of the ASA interface with the address of the SSM 443 https port and map a second port of the SAA within the interfaces to the address of the SSM SSH port.

  How your home PC would simply plug the ASA IP using these specific ports and the ASA would do the translation of port and transmit on the MSS.

  The SSM address could also be dynamically PAT would have on the SAA within the address, so SSM could start the connection to other machines on the inside network.

  Another alternative if you have addresses available on your inside network IP is to use static NAT instead of PAT. And just go forward and has the ASA statically map an IP network on IP of the SSM on the network that only the ASA and the SSM inside could know.

  In both cases the network between the ASA and SSM would not routable at, and you wouldn't have to worry of reproducing static routes anywhere.

  SIDE NOTE: A separate network for the SSM you Becase you will also need to NAT or PAT address of the SSM for the ASA to outside interface. In this way the SSM will be able to connect to Internet to download cisco.com auto updates, and/or pull overall correlation of servers cisco information. It's probably the same configuration that you would already other internal addresses, and just to be sure, you cover the SSM since you have it on a separate subnet.

• Updated AIP-SSM-10 on ASA 5510

  Hello

  I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this.

  1. What is the version of the software on the question of the ASA?
  2. When I look in the software downloads< ips="" there="" are="" .pkg="" and="" .img="" files.="" i="" want="" to="" upgrade="" to="" 6.3(3)e4.="" do="" i="" have="" to="" re-image="" the="" ips="">
  3. AFAIK redefinition to wipe the device so I just reload the config after, right?
  4. I guess I can apply any update after going to E4?
  5. Can you give me links for this upgrade?

  see you soon

  Let me give some clarification on a few points:

  2. There is no need to recreate the image on the device using the .img file.  You can improve the mechanism of maintenance of your existing configuration using the .pkg file.  It is the recommended method for upgrading to Cisco IPS devices/modules.  The .img file to recreate the image should only be used to restore the default device.

  5 here are links for the upgrade of the probe using a .pkg file.  For updates through the IDM user interface:

  http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/IDM/idm_sensor_management.html#wp2126670

  For upgrades via the CLI:

  http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/CLI/cli_system_images.html#wp1142504

  Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3):

  6.2 (3) E4

  7.0 (4) E4

  You can go directly to each output.

  Scott

• AIP - SSM 40-level question.

  Hello

  I am trying to upgrade the AIP - SSM software file 'IPS - K9 - 6.0 - 6 - E4' in 'IPS-engine-E4-req-7.0-2 '. But it is not allow.

  "Could not pass the software on the sensor.

  Level the current signature is S698. The current level of the signature must be less than S480 for this installation package. »

  So I tried to update the signature file less than S480, "IPS-GIS-S460-req-E3".

  "Can not upgrade the sensor software be"
  This update can be installed on the sensor with and the version of the 3 engine.

  The currently installed engine version is 4.

  There is no signature file in cisco downloads less S480 in version 4 engine.

  See the version

  AIP - SSM # sho version

  Application partition:

  Cisco Intrusion Prevention System, Version 6,0000 E4

  Host:

  Domain keys key1.0

  Definition of signature:

  Update of the signature S698.0 2013-02-19

  OS version: 2.4.30 - IDS-smp-bigphys

  Platform: ASA-SSM-40

  Serial number:

  License expires: November 3, 2013 UTC

  Sensor time is 3 days.

  Using 4203216896 bytes of available memory (24% of use) 1045143552

  application data using 41.4 M off 167.8 M bytes of disk space available (26% of use)

  startup is using 37.8 M off 70.5 M bytes of disk space available (57% of use)

  MainApp N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07 - 15 T 01: 15:08 - 0500 Running

  AnalysisEngine NO-NUBRA_E4_2010_MAR_24_22_44_6_0_6 (Ipsbuild) 2010-03 - 24 T 22: 47:53 - 0500 Running

  CLI N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07 - 15 T 01: 15:08 - 0500

  Upgrade history:

  * IPS - K9 - 6.0 - 6 - E4 21:14:06 UTC Wednesday, March 24, 2010

  IPS-GIS-S698-req - E4.pkg 15:44:43 UTC Sunday, February 24, 2013

  Version 1.1 - 6, 0000 E4 recovery partition

  ____________________________________________________________________________

  Any help will be much appreciated... Thanks in advance.

  Liénard

  If you try the software version Upgrade, try to use the IPS-K9-7, 0-2 - E4.pkg instead of the engine update package.

• Cisco ASA 5510 + license + AIP - SSM

  Hello.

  I have this box.

  I have a few questions about it.

  (1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?

  (2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?

  (3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?

  (4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?

  Please help me.

  (1) you must Smartnet in order to download the software from the download from cisco.com site.

  (2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.

  (3) Yes, the basic license is OK for the AIP module.

  (4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.

  Hope that answers your questions.

• Getting started: ASA5520 w / AIP - SSM

  I'm trying to deploy an ASA5520 to a customer. I have no problem with the piece of implementing firewall, but I don't know where to start with the piece of IPS.

  I searched a bit on the ASA55XX & AIP - SSM, but can't seem to find much on what to do with the AIP - SSM beyond the initial Setup.

  Can someone point me to some beginners IPS documentation that focuses on the AIP - SSM?

  Thank you

  Jeff

  In my view, there is a lack of documentation on how to get the IPS module to work with the ASA. It would be nice if there was a single document on how to get IPS working module with the ASA.

  Start with the documentation of the IPS. It's just on how to configure the IPS himself module. Assign an IP address for management, set the admin password, etc..

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids12/index.htm

  Then go to the documentation of the SAA on how to configure ASA to send traffic to IP addresses (via a service-policy):

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids11/cliguide/clissm.htm#wp1033926

  There is a free viewer of IPS Cisco event offering to monitor events on the IPS. It can be downloaded from the download page of the Cisco IPS software.

  Finally, read the whitepaper SAFE on the deployment of the IPS and the setting.

  http://www.Cisco.com/en/us/NetSol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801bc111.shtml

  I hope this helps. Remember messages useful rate. Thank you!

• Help configuration AIP - SSM

  I have two questions about the AIP - SSM.

  (1) is the ACL in AIP - SSM has any type of relations to the ASA ACL?

  2) our four interfaces are all used. Is it possible to assign the SSM an IP address in the same subnet as the management interface?

  (3) should then the management interface serve as a gateway for the SSM?

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  IP address 65.x.x.1 255.255.255.0 watch 65.x.x.2

  !

  interface GigabitEthernet0/1

  nameif dmz

  security-level 50

  IP address 172.16.x.1 255.255.255.0 watch 172.16.x.2

  !

  interface GigabitEthernet0/2

  nameif inside

  security-level 100

  IP address 255.255.255.0 192.168.x.1 watch 192.168.x.2

  !

  interface GigabitEthernet0/3

  STATE/LAN failover Interface Description

  !

  interface Management0/0

  Speed 100

  full duplex

  nameif management

  security-level 100

  IP address 10.0.x.1 255.255.255.0 watch 10.0.x.2

  management only

  Here are the answers to your questions-

  (1) is the ACL in AIP - SSM has any type of relations to the ASA ACL?

  No of years) ACL on SSM is completely independent of the ACLs on the ASA.

  2) our four interfaces are all used. Is it possible to assign the SSM an IP address in the same subnet as the management interface?

  VNA) absolutely. You can assign the SSM management port IP address in the same subnet as your managemnet interface. In this way, all management traffic will remain independent of normal DATA traffic.

  (3) should then the management interface serve as a gateway for the SSM?

  VNA) you're right... :-)

  Hope that helps.

  Kind regards

  Maryse.

• Reloading of the AIP - SSM

  reload the module AIP - SSM affect the ASA?

  Exactly. If you don't have a political card by using the SSM module, then you can reload the module SSM and it does not affect the traffic passing by ASA. To give you more information, here is a link that gives you information on how to configure ASA to use the SSM module:

  http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/SSM.htm#wp1050744

  Hope that helps.

  Kind regards

  Maryse.

• NTP Windows Server and AIP - SSM

  We use a server based on Windows as the NTP server. But I need the NTP key to configure NTP on the AIP - SSM, key to the ID value and the NTP. How do you find this information or bypass? Or is it possible to set the clock without using an NTP server. I disabled the NTP service, hoping that it will use the firewall clock, but it didn't.

  Kind regards

  Your offset must be-360.

  The offset is in minutes rather than hours. Now, you say that the CDT is only 6 MINUTES from GMT when what you want-6 HOURS-360 minutes.

  offset - 360

• AIP - SSM maintenance of Configuration in Active mode Stdby

  So, I'm pretty new to the AIP - SSM but not for the ASA. It seems that very few of the AIP module configuration gets copied to the AIP Stdby, nothing else that what appears in the config of the ASA (ACL, etc.). Thus, all elements of specific configuration for the module itself must be manually reproduced on Stdby module, either entered hand or config copies moved between the two?

  Planned in the future.

• AIP - SSM 10 Signature Update license?

  Hi every one.we had an AIP - SSM 10 for our asa5520.actually it is bundle asa5520 + AIP-SSM10. (part number ASA5520-AIP10-K9 =)

  (1) I want to know that if we want to improve our signature aip - ssm we get the Services Cisco IPS download signatures or not with this number of pürt we get it too!

  (2) in the case and we must get the Cisco IPS services separately so where can I find a reference number for the services of this?

  (3) what license that must be installed on the sensor activation? If we get the Cisco Services for FPS then we receive license activation for installation on sensor too? or not if not, can we install signatures on a sensor that it has not been activated yet? guess we can get a few signatures how! (I know JOINT-2 we cannot install any license until the license is installed on the sensor.) Thank you

  CON-SU1-AS2A10K9 would be the correct contract to put all the pieces of the boot under the maintenance contract.

  CON-SU1-ASIP10K9, this is what is used when the AIP-SSM-10 are purchased as spare.

  I don't know if yes or no this Service Cisco IPS contract can be used to cover only the AIP-SSM-10 if it was purchased as part of a package instead of a spare part. You will need to ask your reseller or Cisco sales representative.

• AIP-SSM-10 and syslog

  I ASA5520 with AIP-SSM-10, and I want to send messages from IPS sensor to the external syslog server. I'm not able to find, how to configure it.

  Thank you for any suspicion.

  From now on, SSM modules cannot be configured to send events as syslogs to a syslog server. You can send these events to the spectators of the event or security monitor.

  Kind regards

  Maryse.

• Automatic update AIP-SSM-10 and ASA 5510 (Beginner)

  I see that it is possible to automate the updates of the ASA 5510 and AIP SSM via FTP on my own server. Is it possible to automate the download directly from Cisco.com?

  Thank you!

  Jeremy

  Jeremy, the answer to your question is correct, as far as the Cisco products are concerned. So I wrote a PERL app that does exactly that, and I published an article about it in the June 2007 issue of Sys Admin magazine. Here's the article online: http://www.samag.com/documents/s=10128/sam0706a/0706a.htm

  And it is also on my site, with a tar of scripts to:

  http://www.LHB-consulting.com/pages/apps/index.html

  Good luck.

  -Lisa