AIP - SSM upgrade for ASA active / active

Similar Questions

• Updated AIP-SSM-10 on ASA 5510

  Hello

  I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this.

  1. What is the version of the software on the question of the ASA?
  2. When I look in the software downloads< ips="" there="" are="" .pkg="" and="" .img="" files.="" i="" want="" to="" upgrade="" to="" 6.3(3)e4.="" do="" i="" have="" to="" re-image="" the="" ips="">
  3. AFAIK redefinition to wipe the device so I just reload the config after, right?
  4. I guess I can apply any update after going to E4?
  5. Can you give me links for this upgrade?

  see you soon

  Let me give some clarification on a few points:

  2. There is no need to recreate the image on the device using the .img file.  You can improve the mechanism of maintenance of your existing configuration using the .pkg file.  It is the recommended method for upgrading to Cisco IPS devices/modules.  The .img file to recreate the image should only be used to restore the default device.

  5 here are links for the upgrade of the probe using a .pkg file.  For updates through the IDM user interface:

  http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/IDM/idm_sensor_management.html#wp2126670

  For upgrades via the CLI:

  http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/CLI/cli_system_images.html#wp1142504

  Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3):

  6.2 (3) E4

  7.0 (4) E4

  You can go directly to each output.

  Scott

• The AIP - SSM to unused ASA connection interface

  Hi people,

  Perhaps, someone has already raised this issue, but I was unable to find anything relevant. We have an ASA with an unused interface (gig0/3). The sensor of the AIP - SSM is physically connected to this interface with the following IP settings:

  Sensor (192.168.2.2/30,192.168.2.1)---interface ASA (192.168.2.1/30)

  It's basically point to point connectivity, and I can reach the ASA of the sensor and the other way around.

  This design is dictated by the lack of a free port on the switch.

  Technically, it should work without any problems, but I can't seem to be able to reach the sensor. There is a switch between my PC and the sensor and the switch has the corresponding static route added. I can reach the switch sensor.

  Is there a security feature hidden I don't know that prevent communication with the sensor.

  And ACL of the sensor allows the traffic to all networks (0.0.0.0/0)

  With the sensor acl set to 0.0.0.0/0, the sensor must be allowing connectivity.

  You can use the 'View of package' command on the sensor to look at packets on the interface command and control to see if the packets are what makes the sensor.

  You say that you have a static route on your switch for the switch reach your sensor. Do you know if your PC is configured to use the switch as the computer's default router. If the PC is to use a different default router, then the other router should also the static route.

  The other possibility is that the SAA itself can be deny traffic.

  Since this is an ASA connected to the MSS interface, the traffic must be routed through the ASA. Standard firewall rules apply to this traffic. The security level of the interfaces can prevent traffic, and an ACL may be necessary in order to allow the circulation of your PC be routed to the SSM.

  NOTE: If you don't want to have to worry about roads, the other alternative is to make the network between the ASA and SSM to be an isolated network that only 2 machines know.

  You can then use PAT static to map a port on the inside of the ASA interface with the address of the SSM 443 https port and map a second port of the SAA within the interfaces to the address of the SSM SSH port.

  How your home PC would simply plug the ASA IP using these specific ports and the ASA would do the translation of port and transmit on the MSS.

  The SSM address could also be dynamically PAT would have on the SAA within the address, so SSM could start the connection to other machines on the inside network.

  Another alternative if you have addresses available on your inside network IP is to use static NAT instead of PAT. And just go forward and has the ASA statically map an IP network on IP of the SSM on the network that only the ASA and the SSM inside could know.

  In both cases the network between the ASA and SSM would not routable at, and you wouldn't have to worry of reproducing static routes anywhere.

  SIDE NOTE: A separate network for the SSM you Becase you will also need to NAT or PAT address of the SSM for the ASA to outside interface. In this way the SSM will be able to connect to Internet to download cisco.com auto updates, and/or pull overall correlation of servers cisco information. It's probably the same configuration that you would already other internal addresses, and just to be sure, you cover the SSM since you have it on a separate subnet.

• Automatic update AIP-SSM-10 and ASA 5510 (Beginner)

  I see that it is possible to automate the updates of the ASA 5510 and AIP SSM via FTP on my own server. Is it possible to automate the download directly from Cisco.com?

  Thank you!

  Jeremy

  Jeremy, the answer to your question is correct, as far as the Cisco products are concerned. So I wrote a PERL app that does exactly that, and I published an article about it in the June 2007 issue of Sys Admin magazine. Here's the article online: http://www.samag.com/documents/s=10128/sam0706a/0706a.htm

  And it is also on my site, with a tar of scripts to:

  http://www.LHB-consulting.com/pages/apps/index.html

  Good luck.

  -Lisa

• AIP - SSM upgrade procedure

  Hello world!

  I have version 8.2 ASA5520 (1) with module AIP-SSM-20

  and I want to put AIP-SSM-20 software version 3,0000 E3 to E4 2.0000

  I go to the download site and see the following list:

  Intrusion Prevention System (IPS) recovery software:

  • IPS-K9-r-1.1-a-7.0-2-E4.pkg

  Release date: March 29, 2010

  IPS Recovery Image File

  Intrusion Prevention System (IPS) Signature Update:

  • IPS-GIS-S481-req - E4.pkg

  Release date: March 31, 2010

  E4 Signature Update S481

  Intrusion Prevention System (IPS) system software:

  • IPS-SSM_20-K9-sys-1.1-a-7.0-2-E4.img

  Release date: March 29, 2010

  Image system IPS-SSM_20 file

  Improved Intrusion Prevention System (IPS) systems

  • IPS-K9-7, 0-2 - E4.pkg

  Release date: March 29, 2010

  File upgrade 7.0 Major of IPS (all supported except AIM - IPS and NME - IPS platforms)

  • IPS-engine-E4-req-7.0-2.pkg

  Release date: March 29, 2010

  The IPS E4 engine update

  I'm a little confused by the number of files and you want to ask what the procedure/sequence I should follow to upgrade?

  This is the file that you want to use to upgrade:

  Improved Intrusion Prevention System (IPS) systems

  IPS-K9-7, 0-2 - E4.pkg

  Upgrade:

  (1) download the file 'IPS-K9-7, 0-2 - E4.pkg' through IDM

  (2) IDM--> Configuration--> sensor--> sensor update management--> choose update is located on the client--> choose file 'IPS-K9-7, 0-2 - E4.pkg'--> hit the button "Update".

  It will take some time (about 20 minutes) to upgrade the sensor, so don't panic if it does not return to the top 'UP' status immediately.

  Hope that helps.

• Support for hardware and signature to the AIP SSM-10

  We have a 5510 which we bought a map AIP SSM-10 for the SAA, which is already the subject of a support contract. We now want to add the hardware maintenance for the new card AIP SSM-10 as signature updates. Our Cisco provider is confirmed we will receive that updates of signature with hardware support (we tried to get a response from them since June or July now).

  Could someone let us know what is the correct part number, and so we can ask the specific option that will allow both the material cover and signature updates.

  I think it is need you

  CON-SU1-AS1A1PK9

  IPS, NBD SVC, AR ASA5510-AIP10SP-K9

  support for Cisco smartnet

• AIP - SSM 10 Signature Update license?

  Hi every one.we had an AIP - SSM 10 for our asa5520.actually it is bundle asa5520 + AIP-SSM10. (part number ASA5520-AIP10-K9 =)

  (1) I want to know that if we want to improve our signature aip - ssm we get the Services Cisco IPS download signatures or not with this number of pürt we get it too!

  (2) in the case and we must get the Cisco IPS services separately so where can I find a reference number for the services of this?

  (3) what license that must be installed on the sensor activation? If we get the Cisco Services for FPS then we receive license activation for installation on sensor too? or not if not, can we install signatures on a sensor that it has not been activated yet? guess we can get a few signatures how! (I know JOINT-2 we cannot install any license until the license is installed on the sensor.) Thank you

  CON-SU1-AS2A10K9 would be the correct contract to put all the pieces of the boot under the maintenance contract.

  CON-SU1-ASIP10K9, this is what is used when the AIP-SSM-10 are purchased as spare.

  I don't know if yes or no this Service Cisco IPS contract can be used to cover only the AIP-SSM-10 if it was purchased as part of a package instead of a spare part. You will need to ask your reseller or Cisco sales representative.

• Do I need two AIP - SSM modules if I'm failover configuration?

  Is it possible to use a single module AIP - SSM in two ASA that is configured in active / standby?

  I would like to configure the module in the first ASA with the relief setting.  Then, if the ASA first fails, I could physically remove the module AIP - SSM and place it in the second ASA.

  Would there be problems, configure it in this way?

  Would be the active / standby ASA complaining that there is that one module AIP - SSM?

  Thanks in advance.

  Hello

  You must have an AIP - SSM on two SAA in order to be able to run the failover, without it failover will not come to the top (because of incompatibility of hardware)

  Kind regards

  Julio

• AIP SSM and virtual devices

  I just put in place a module AIP SSM in an ASA 5520 with a unique security context.

  Do I need to configure virtual devices in this case? or I can use the VS0 default? In the documentation of the IPS, he says "You can't change the definition of signature, rules of action event or anomaly detection policies." for the default virtual sensor (VS0), which is the only virtual sensore I.

  Can someone clarify what this means? It somehow restrict the usefulness of the IPS if I do not set up a separate VS?

  Thank you very much.

  A single sensor vs0 virual is very good, especially when only a single surveillance security context.

  The statement do not change the definition of signature, event actions or policies of anomaly detection rules can be a little misleading.

  What he's trying to say, is that you cannot create ad1, regles1, and any new polcies sig1 and try to apply them to vs0. The vs0 default must use sig0, rules0 and ad0.

  If you have created a new vs1, then you can apply the new policies like sig1 and regles1 ad1 to this new vs1.

  This does NOT mean that you cannot make changes to config in sig0, rules0 and ad0.

  So feel free to make configuration changes to sig0, rules0 and ad0 to fine-tune how your vs0 should handle the traffic.

  It's just the names of politicians who cannot be changed when you use vs0.

• Configuration of AIP SSM to monitor only

  Hi all

  We bought an AIP-SSM-20 for our ASA5520. Is there a way to enable the IPS feature, but not block anything, i.e. just record events? It's just to see if any legitimate business traffic will be blocked.

  Thank you!

  Jacques

  Set the ASA to send traffic to IP addresses in promiscuous mode by using the following command in a sheet of policy:

  IPS hostname(config-pmap-c) # {inline | promiscuity} {failure-closing |}

  rescue} [sensor {sensor_name | mapped_name}]

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/Getting_started/asa5500/quick/guide/aipssm.html

  Geroge

• Reloading of the AIP - SSM

  reload the module AIP - SSM affect the ASA?

  Exactly. If you don't have a political card by using the SSM module, then you can reload the module SSM and it does not affect the traffic passing by ASA. To give you more information, here is a link that gives you information on how to configure ASA to use the SSM module:

  http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/SSM.htm#wp1050744

  Hope that helps.

  Kind regards

  Maryse.

• AIP - SSM maintenance of Configuration in Active mode Stdby

  So, I'm pretty new to the AIP - SSM but not for the ASA. It seems that very few of the AIP module configuration gets copied to the AIP Stdby, nothing else that what appears in the config of the ASA (ACL, etc.). Thus, all elements of specific configuration for the module itself must be manually reproduced on Stdby module, either entered hand or config copies moved between the two?

  Planned in the future.

• licenses for a cisco ASA active/passive pair AnyConnect SSL

  Hi all. I buy 2 5512 x ASAs is configured like a pair of active/passive as a VPN device. I need to purchase licenses for both devices anyconnect? Thank you

  Licenses AnyConnect Essentials (or premium) are combined on a cluster failover ASA. Reference

  So, buy once only the quantity and type of licenses you need based on your end users - not based on the number of ASAs - and they will be available at the ASA Active whether primary or secondary unit.

• AIP-SSM-20 upgrade

  Try to upgrade an AIP-SSM-20.

  We have 2 ASA in a failover configuration, upgrade on the AIP-SSM-20 secondary has been a success.

  On the primary AIP-SSM-20, we get the following error when you try to upgrade via FTP from the same server that we have updated the secondary SSM module of:

  execUpgradeSoftware: permission denied

  The current version is 1,0000 E1, tyring 4,0000 E1 upgrade

  We tried when the module is active and when it's not... same error in both directions. Doesn't seem to be a user FTP error since we get a different when error deliberately hits the user or password.

  Our SSM user has administrator privileges (cisco default user) and we tried to restart the SSM... no luck

  Anyone has any idea on this?

  Thank you

  John Stemke

  I don't know if the error is generated by the sensor itself, or from the ftp server.

  To discover the try running a sniffer of packages on the ftp server or the 'package' command on the CLI for the command of the probe and control interface.

  Run the command to upgrade and see if a ftp connection is still attempted by the sensor.

  If no ftp connection is attempted, then the error would be to the sensor itself, and it would seem that the user doesn't have permissions admin (which doesn't seem to be your case by what you wrote).

  If the ftp connection is attempted, then the error is probably coming from the ftp server. Look at the packages that you have captured and see if an error is coming from the ftp server. The problem may be a permissions issue on the file on the ftp server. The ftp directory or the file itself may not have read permission for the file.

  You can also try a ftp from your own desktop to the same ftp server by using the same user and password used for the sensor and see if you can download it on your own desktop.

  As a work around to get your updated sensor to update and work on this authorization the problem is later to copy the upgrade on your desktop.

  Run IDM and use IDM to repel the upgrade of your desktop directly on the sensor.

• Cisco ASA 5510 + license + AIP - SSM

  Hello.

  I have this box.

  I have a few questions about it.

  (1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?

  (2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?

  (3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?

  (4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?

  Please help me.

  (1) you must Smartnet in order to download the software from the download from cisco.com site.

  (2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.

  (3) Yes, the basic license is OK for the AIP module.

  (4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.

  Hope that answers your questions.