ASA 5520 with AIP - SSM
Dear all,
I'm in the process of implantation of the product above of title to one of the clients.
I am very familiar with the configuration of the firewall, but the module AIP - SSM is than I do the first time.
Please I need your help to do the configuration.
Is it possible by using ASDM to configure, if yes please give me the steps and procedures to complete the work
Thanks in advance
Swamy
Hi S,
Very easy:
Connect to the ASA, activate mode and then connect to the IPS via the command "session 1".
You are then connected to the console of the IPS. Enter the user name "cisco" and the password "cisco" and run the Setup program for the basic config (address IP etc). After that, you can either connect directly on IP addresses via a web browser or through ASDM.
Then I recommend you read the setup guide for IP addresses that it can be very intense (configuration/tweaking signatures etc.)
I hope this helps!
See you soon
JC
Tags: Cisco Security
Similar Questions
-
I'm new to network administration and our company has an ASA 5510 with and map AIP SSM-10. On the interface ASA when I try to load Intrusion detection, he said the following:
"For IPS 5.1 (1) S205.0, use the link below to access the IPS Device Manager." (If the SSM management IP address or the port is translated, replace them accordingly in the below URL). IPS 6.0.1 or above will be fully interated ASDM. »
Unfortunately, no URL is displayed below this message and there is no documentation in the company that owns this configuration. Is there a way to reset the AIP without resetting the ASA? How can I find the IP address to be able to configure it?
The ASA CLI, you will be able to check the IP address of the AIP module:
view the details of the module
It will show you the ip address of mgmt of the module, and you can https to the IP address of your PC.
-
transparent mode with AIP-SSM-20
I currently have an ASA5510 routed with AIP-SSM-20 mode.
It is necessary to use a connection in optical fiber between the ASA and ASA on the campus, so the AIP - SSM will need to be removed and replaced by the SSM - 4GE. This section should present no problems.
However, this will remove the IPS device, and I always want to use IPS.
So what I think is to get another ASA5510, install the AIP - SSM, configure ASA for transparent and put it between the inside of the ASA routed and my local network. The ASA transparent would be strictly works in the form of an IPS appliance.
The installation program should look like this:
Internal LAN <> ASA transparent with IPS <> routed ASA <> WAN
The AIP - SSM can always perform with the ASA in transparent mode IPS?
Is it possible to configure the ASA and AIP - SSM such as traffic to and from a particular server completely ignores the AIP - SSM?
I have a couple of file servers which generate heavy traffic and can overload the AIP - SSM.
Kind regards.
AFAIR, it is no installation AIP in a transparent firewall problem.
"The SAA in transparent mode can execute an agreement in principle. In the event that the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
And no there is no problem to exclude certain hosts/ports/subnets inspection by IPS via MPF.
http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/IPS.html#wp1050744
What I consider however is however if the ASA 5510 as second level firewall for 5520 s will be enough.
http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html
HTH,
Marcin
-
Cisco ASA 5510 + license + AIP - SSM
Hello.
I have this box.
I have a few questions about it.
(1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?
(2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?
(3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?
(4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?
Please help me.
(1) you must Smartnet in order to download the software from the download from cisco.com site.
(2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.
(3) Yes, the basic license is OK for the AIP module.
(4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.
Hope that answers your questions.
-
Inspection of traffic between hair-pinning VPN on a SAA with AIP SSM.
Hello
I want to deploy an ASA as a VPN endpoint and to use the AIP SSM module to inspect and provide protection for inbound traffic arriving on a VPN and start on another within the same ASA. I guess it's possible because traffic is unencrypted in the ASA State and must be intercepted by the class plan. Anyone who has done this or can anyone confirm that this will work?
Thank you very much
Wil Bowes
If the ASA finishes the VPN, then indeed it can also inspect internally. The decryption happens before "module controls" for inbound traffic and the arrival of "control module" before encryption for outgoing traffic. If you can do it.
I hope it helps.
PK
-
Cisco ASA 5520, 8.02, 4GE SSM, IPS?
I have an ASA 5520 with 4GE SSM module.
The ASDM, I see IPS basic signatures... anyway to upgrade these signatures, add to, etc.?
Not really, you must purchase the AIP - SSM module for this.
Concerning
Farrukh
-
ASA 5520 Infiltration of DNS query
Is the operation of TCPDUMP, simular to Sindwinder FW (example below), possible through ASA 5520 and AIP-SSM-10 (IPS) module? Reference and the answer to my question are appreciated.
•tcpdump options for DNS
-Internal Burba: tcpdump - ntpi em0 port 53
-External Burba: tcpdump - ntpi em1 port 53
tcpdump for SMTP options:
Burba internal: tcpdump - ntpi em0 port 25
External Burba: tcpdump - ntpi em1 port 25
You can use the iplog command to capture a PCAP file on the module AIP - SSM (assuming that you sent the traffic you with capture or through the module AIP - SSM IPS). It will capture based on the source IP address.
http://www.Cisco.com/en/us/docs/security/IPS/6.0/command/reference/crCmds.html#wp466857
If you want TCPdump granularity, make a service account on the sensor, open a session in the Linux system, able to root and tcpdump away.
-
Automatic update AIP-SSM-10 and ASA 5510 (Beginner)
I see that it is possible to automate the updates of the ASA 5510 and AIP SSM via FTP on my own server. Is it possible to automate the download directly from Cisco.com?
Thank you!
Jeremy
Jeremy, the answer to your question is correct, as far as the Cisco products are concerned. So I wrote a PERL app that does exactly that, and I published an article about it in the June 2007 issue of Sys Admin magazine. Here's the article online: http://www.samag.com/documents/s=10128/sam0706a/0706a.htm
And it is also on my site, with a tar of scripts to:
http://www.LHB-consulting.com/pages/apps/index.html
Good luck.
-Lisa
-
Hello
If anyone can offer you please, you will enjoy
We have 2 ASA 5520 with SSM modules in. behind ASA is a CSS load balancer. This load balancer have ssl and ssl certificate installed module. communication from the internet to the VIP loadbalancer is SSL, the SSM module configured to control communication is limited because everythng is encrypted.
communication between the LB farm and the server is not encryted, but there is no IPS inbetween. can you suggest if someone used the design below
int 1 (public) - ASA1 - LB 1 interface (dmz) - inside (inside) ASA1 interface where all the web server resides
Therefore, the traffic is on port 443 to the virtual IP address. Static on ASA 1forwards traffic to its dmz interface where 1 LB, then clear the 1 LB traffic goes to the inside interface where all the serverfarm web resides. by doing so, we can configure the SSM module to monitor the traffic of LB to webserverfarm since its between 2 interfaces of ASA. and also we can have access - list on ASA to allow traffic only between LB and Web servers
This will be a concern on the performance of the ASA?
What is a recommended design
Thank you
It is a valid design and it should work.
The ASA will see traffic twice and the interface that is in front of the LB will see traffic entering the lb twice so I'm not sure that it is effective. Please check the amount of traffic will see interfaces to see if the ASAs can manage it.
Since the LB will be the one actually pulling pages and to talk to your servers, why did you not pass by the ASA, but external users from do not by it, when speaking of LB?
If you are worried about BACK against LB and you do not have another firewall to use so I assume that it is valid.
I hope it helps.
PK
-
Rules of politics on the ASA AIP - SSM services
Salvation of the forumers
I have an ASA with AIP - SSM. I want to protect the LAN private outside the internet attack.
I would check the meaning of the ACL on ASDM firewall > policy of Service rule
1. am I right to set the source: external interface, destination: 172.16.0.2
or 2. destination value: 10.10.0.0 / 16
Thank you
Noel
To respond to your request in simple just do your Service policy with the IP address that is seen by the firewall. If the IP address 10.10.0.0/16 are natted on the router with 172.16.0.2, then all IP addresses, hit on the firewall will be 172.16.0.2 so make your destination with 172.16.0.2 else if the natting is on the firewall for 10.10.0.0/16 then point the destination to 10.10.0.0/16.
-
I just put in place a module AIP SSM in an ASA 5520 with a unique security context.
Do I need to configure virtual devices in this case? or I can use the VS0 default? In the documentation of the IPS, he says "You can't change the definition of signature, rules of action event or anomaly detection policies." for the default virtual sensor (VS0), which is the only virtual sensore I.
Can someone clarify what this means? It somehow restrict the usefulness of the IPS if I do not set up a separate VS?
Thank you very much.
A single sensor vs0 virual is very good, especially when only a single surveillance security context.
The statement do not change the definition of signature, event actions or policies of anomaly detection rules can be a little misleading.
What he's trying to say, is that you cannot create ad1, regles1, and any new polcies sig1 and try to apply them to vs0. The vs0 default must use sig0, rules0 and ad0.
If you have created a new vs1, then you can apply the new policies like sig1 and regles1 ad1 to this new vs1.
This does NOT mean that you cannot make changes to config in sig0, rules0 and ad0.
So feel free to make configuration changes to sig0, rules0 and ad0 to fine-tune how your vs0 should handle the traffic.
It's just the names of politicians who cannot be changed when you use vs0.
-
Hi EXP.
1st time for me to work with AIP-SSM-10, I ASA5510 and AIP-SSM-10,.
Firewall (5510):
inside the 192.168.55.252
87.191.101.1 outside
DMZ 172.16.0.1
where to plug the AIP SSM-10 what ip address I have to give him and how can I be savvy to ensure that is to have such as ping or traceroute ip connectivity. what I'm missing, it is the ip address.
I gave an ip address to the management interface and I left ping but I couldn't ping the AIP SSM-10 between the firewall.
Please help,
(1) of the SAA, you would session in the module, and you must configure the ip address on this module with the command "setup."
(2) what you just set up the ip address is assigned to the interface on this module.
(3) this interface on the module must be physically connected to your network. You can configure a unique ip address in the same subnet as your ASA inside the interface.
Here's a diagram of the module with the port interface / hardware:
http://www.Cisco.com/en/us/docs/security/IPS/7.0/installation/guide/hw_installing_ssm.html
Here's how to run the command "setup":
http://www.Cisco.com/en/us/docs/security/IPS/7.0/installation/guide/hw_initializing.html
-
In my lab, I have a new 5510 with AIP - SSM card.
In my view, it is configured correctly to assess traffic, but I can't be sure.
This is part of the configuration of the ASA:
Global class-card class
match any
class-map inspection_default
match default-inspection-traffic
World-Policy policy-map
class inspection_default
inspect the ftp, etc.,
Global category
IPS inline help
global service-policy global_policy
I have a PC to a switch, go to the ASA (inside interface)
The ASA outside interface goes to a VLAN separate on the switch.
Both interfaces VLANS configured.
Is there a command ping, or other traffic I can generate from PC that will throw an alert?
I tried Ping s of a bogus address, but which did not cause an event.
How will I know if the traffic actually crosses the ID?
Thank you.
Hello Jimmy
Lass-map: global-class
IPS: Status of card upward, inline mode rescue
Package of 0 Packet output 0 0 drop, discount entry to zero - drop 0
No package get the IPS module
You have told me is assigned to virtual sensor 0 on the right side of the AIP - SSM?
-
Hello
I have a client who has the run of the ASA 2 that each filled with AIP - SSM. The IPS has 6.1 (1) E3 software and I would like to upgrade to the latest.
I'm looking through the sections to download and read the minimum requirements of 7.0 (7) E4 but cannot find the file to download to AIP - SSM.
NOTE: The IPS-AIM-K9-7.0-7-E4.pkg upgrade file can only be used to upgrade AIM-IPS sensors. The IPS-NME-K9-7.0-7-E4.pkg upgrade file can only be used to upgrade NME-IPS sensors. For all other supported sensors, use the IPS-K9-7.0-7-E4.pkg upgrade file.
Each updated image that I look for E4 has only IPS-K9-version and the description says all supported except AIM - IPS and NME - IPS platforms. Can someone help me to find the right image for upgrade?
This is where I am currently looking:
Intrusion Prevention System (IPS) system upgrades - 7.0 (2) E4
Hello
Please use your AIP - SSM IPS - K9 - 7, 0-7 - E4.pkg. This version is supported on all IPS platforms except two modules for the cisco ISR routers: AIM - IPS and NME - IPS.
Thank you
Alla
-
I ASA5520 with AIP-SSM-10, and I want to send messages from IPS sensor to the external syslog server. I'm not able to find, how to configure it.
Thank you for any suspicion.
From now on, SSM modules cannot be configured to send events as syslogs to a syslog server. You can send these events to the spectators of the event or security monitor.
Kind regards
Maryse.
Maybe you are looking for
-
The operation cannot be performed because the "Firefox" element is in use.
Whenever I try to download the latest version of Firefox on my mac, I get the following error: "The operation cannot be performed because the"Firefox"element is in use." I close Firefox and still get this error. I tried this guy 100 times and may not
-
The on-screen display is too large for my monitor
I have a HP Pavilion dv4 Notebook PC model WA695UA #ABA after the installation of windows updates the screen display is too much for the monitor. I do not see the scroll bar or the minimize/maximize/exit keys, and the top of the screen overflows down
-
On my Officejet 6600, I recently replaced a black cartridge 933 with a 933xl, no problem. My question: with the black 933xl installed, it does not seem square to replace one of the other color cartridges with an xl with one already installed. Is this
-
Is it possible to disable the option "graphic print" in anychart (specifically the gantt charts)
HelloI need to prevent people from being able to print a chart (yes I know that they can still take a screenshot and print that - the requirement comes from a larger)Any ideas if there is a way?Thank you
-
Since the update to 1.40 the volumn on my palm pre just turns off completely. Upgrade to 1.4.1.1 (sprint) did not fix it. Can it be fixed or will this need to be fixed in the next update and if so how can I make sure that this issue will be resolved.