ASA5510 and AIP-SSM-10 module in promiscuous mode

Similar Questions

• Question on the CSC - ssm modules and aip - ssm in the ASA5500

  Is it true that the CSC - ssm and aip - ssm modules cannot coexist in the device of ASA5500 at the same time?

  Another issue is the site of cisco using the command keyword intra-interface involving NO IPSEC TRAFFIC, there are example of config/example

  It is true that the CSC - ssm and aip - ssm modules cannot coexist in the device of ASA5500 at the same time.

  It is not a sample configuration partitions on the spot yet. However, outside the control of the same security, you must the ordinary rule of translation to pass traffic. Also, because of the dynamic nature, it allows only one-way traffic. For example:

  NAT (inside) 10 192.168.1.0 255.255.255.0

  Global interface (10 Interior)

  Global (ouotside) 10 interface (is not required however)

  Sincerely,

  ~ AJ

• What are different between the IPS and AIP - SSC and AIP - SSM?

  Dear all,

  I'm not clear about the IPS, AIP - SSC and AIP - SSM module which are different?

  Then, when we can use IP addresses?

  When we use the AIP - SSC?

  When we can use AIP - SSM?

  Thus, a different IPS and AIP - SSC and AIP - SSM material or the same material?

  Best regards

  Rechard

  AIP - SSM is an IPS Firewall ASA module.

  IPS is available in different flavors:

  -Device of the IPS 4200 series

  AIP - SSM - module IPS Firewall ASA

  -IDSM2 - IPS module on 6500 series switch

  AIM - IPS - map IPS on router IOS

  Please rate and mark post useful.

• New deployment with the ASA and AIP - SSM module

  Hi guys and girls,

  I think to deploy an ASA with IPS module AIP - SSM to my perimeter. I'm going to use / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;} Cisco IPS Manager Express (IME) to monitor the IP addresses to monitor the ASA. I have no plans on deploying a device IDS.

  Question: The IME is designed to send notices to the subject of threats? What are some of the configurations in your network? (Just prick with the last question.)

  THX...

  IME is designed only for IPS monitor (whether it be IPS appliance, module AIP - SSM on ASA or other module IPS). IME is not able on the control of ASA.

  EMI can provide advice by email about events which are fires on the IPS, while the IPS itself cannot. EMI may also keep all the events triggered by the IPS, while SPI buffer is small enough, that so if you have huge demonstrations, the buffer gets replaced pretty quickly.

  Here is more information about IME, if you are interested:

  http://www.Cisco.com/en/us/products/ps9610/index.html

• where connect AIP - SSM 10 MODULE INTERFACE

  Hello

  We have CISCO ASA 5520 model with Module AIP - SSM 10 IPS, I'm new to IPS,

  1. I do not know where to connect from this port module (connectivity) another port it should connect to any router interface or L3?

  2. which IP address to use, it should be accessible network IP or customer?

  3 and the functioning of the IPS. ?

  with kindness is - anyone can guide me.

  Hello

  You will need the credentials of EAC by means of which you should be able to connect to www.cisco.com

  SPSP

• NTP Windows Server and AIP - SSM

  We use a server based on Windows as the NTP server. But I need the NTP key to configure NTP on the AIP - SSM, key to the ID value and the NTP. How do you find this information or bypass? Or is it possible to set the clock without using an NTP server. I disabled the NTP service, hoping that it will use the firewall clock, but it didn't.

  Kind regards

  Your offset must be-360.

  The offset is in minutes rather than hours. Now, you say that the CDT is only 6 MINUTES from GMT when what you want-6 HOURS-360 minutes.

  offset - 360

• Block P2P software using the ASA-AIP-SSM-20 module

  Hello

  I have a question about blocking P2P traffic on ASA AIP module. I've searched the forums and all I could find were solutions using regex, port block, MPF, but no example of implementation of AIP.

  Could someone point me in the right direction please?

  Thank you very much

  Martin

  Hello

  You can find all the associated p2p signatures in:

  http://Tools.Cisco.com/Security/Center/home.x

  A search using Signatures, p2p, all. Then, you can set the respective signatures to your needs.

  SPSP

• IPS (AIP - SSM) ASA5520 module

  My ASA is 7.2 2 & ASDM is 5.2 (2).

  Fix version 5.0.2 of v6.1.1 IPS module.

  What version of ASA/AMPS should I fully support the IPS 6.1?

  Just go through this process.

  ASDM 6.0 (3)

  ASA 8.0 (3)

• AIP SSM-10

  Hi EXP.

  1st time for me to work with AIP-SSM-10, I ASA5510 and AIP-SSM-10,.

  Firewall (5510):

  inside the 192.168.55.252

  87.191.101.1 outside

  DMZ 172.16.0.1

  where to plug the AIP SSM-10 what ip address I have to give him and how can I be savvy to ensure that is to have such as ping or traceroute ip connectivity. what I'm missing, it is the ip address.

  I gave an ip address to the management interface and I left ping but I couldn't ping the AIP SSM-10 between the firewall.

  Please help,

  (1) of the SAA, you would session in the module, and you must configure the ip address on this module with the command "setup."

  (2) what you just set up the ip address is assigned to the interface on this module.

  (3) this interface on the module must be physically connected to your network. You can configure a unique ip address in the same subnet as your ASA inside the interface.

  Here's a diagram of the module with the port interface / hardware:

  http://www.Cisco.com/en/us/docs/security/IPS/7.0/installation/guide/hw_installing_ssm.html

  Here's how to run the command "setup":

  http://www.Cisco.com/en/us/docs/security/IPS/7.0/installation/guide/hw_initializing.html

• Automatic update AIP-SSM-10 and ASA 5510 (Beginner)

  I see that it is possible to automate the updates of the ASA 5510 and AIP SSM via FTP on my own server. Is it possible to automate the download directly from Cisco.com?

  Thank you!

  Jeremy

  Jeremy, the answer to your question is correct, as far as the Cisco products are concerned. So I wrote a PERL app that does exactly that, and I published an article about it in the June 2007 issue of Sys Admin magazine. Here's the article online: http://www.samag.com/documents/s=10128/sam0706a/0706a.htm

  And it is also on my site, with a tar of scripts to:

  http://www.LHB-consulting.com/pages/apps/index.html

  Good luck.

  -Lisa

• Cisco ASA 5510 + license + AIP - SSM

  Hello.

  I have this box.

  I have a few questions about it.

  (1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?

  (2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?

  (3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?

  (4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?

  Please help me.

  (1) you must Smartnet in order to download the software from the download from cisco.com site.

  (2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.

  (3) Yes, the basic license is OK for the AIP module.

  (4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.

  Hope that answers your questions.

• Cannot access the AIP SSM via ASDM

  CISCO recommendations below:

  Cannot access the AIP SSM via ASDM

  Problem:

  This error message appears on the GUI.

  Error connecting to sensor. Error Loading Sensor error

  Solution:

  Make sure that the IPS SSM management interface is up/down and check his IP address configured, default gateway and the subnet mask. It is the interface to access the software from Cisco Adaptive Security Device Manager (ASDM) on the local computer. Try to ping the address of management of IPS SSM IP interface on the local computer that you want to access the ASDM. If it is impossible to do a ping check the ACLs on the sensor

  ----------------------------------------------------------------------------------------------------------------------------------------------

  I've tried everything recommended above. I can ping the host ASDM the FW and the SSM-10 module. Well, I ping the host machine and the SSM of the ASDM. I opened as wide as possible ACL. I changed the IP addresses and masks several times. The management of the ASA port and the SSM and the PC are on the same subnet.

  A trace of package from the PC to the SSM shows that it is blocked by an ACL rule, and yet I opened wide.   I've seen this kind of problem before and it was solved by applying the double static NAT, but I don't know how to do that if all the IP addresses are on the same subnet.

  Tried everything, need help from high level.

  The IDM software that comes with ASDM does not support java 1.7. The portion of the ASDM ASA supports 1.7 but launch the IPS cmdlet works only with 1.6. The TAC enginner suggested that I use the IME (IPS Manager Express) which is available for free on the Cisco's (http://www.cisco.com/en/US/products/ps9610/tsd_products_support_general_information.html) Web site.

  I've been playing with it today, and so far it seems to work pretty well.

• transparent mode with AIP-SSM-20

  I currently have an ASA5510 routed with AIP-SSM-20 mode.

  It is necessary to use a connection in optical fiber between the ASA and ASA on the campus, so the AIP - SSM will need to be removed and replaced by the SSM - 4GE.  This section should present no problems.

  However, this will remove the IPS device, and I always want to use IPS.

  So what I think is to get another ASA5510, install the AIP - SSM, configure ASA for transparent and put it between the inside of the ASA routed and my local network.  The ASA transparent would be strictly works in the form of an IPS appliance.

  The installation program should look like this:

  Internal LAN <> ASA transparent with IPS <> routed ASA <> WAN

  The AIP - SSM can always perform with the ASA in transparent mode IPS?

  Is it possible to configure the ASA and AIP - SSM such as traffic to and from a particular server completely ignores the AIP - SSM?

  I have a couple of file servers which generate heavy traffic and can overload the AIP - SSM.

  Kind regards.

  AFAIR, it is no installation AIP in a transparent firewall problem.

  "The SAA in transparent mode can execute an agreement in principle.  In the event that the AIP fails,

  the IPS will fail-open and the ASA will continue to pass traffic.
  
  However, if an interface or cable fails, then traffic will stop.  You
  
  would need a failover pair to account for this failure event, which
  
  means another ASA and matching AIP."
  
  

  And no there is no problem to exclude certain hosts/ports/subnets inspection by IPS via MPF.

  http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/IPS.html#wp1050744

  What I consider however is however if the ASA 5510 as second level firewall for 5520 s will be enough.

  http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html

  HTH,

  Marcin

• VSphere - "Promiscuous" Mode?

  I have a virtual machine that is running in Vsphere Hypervisor.   I'm trying to install a VPN (SoftEther) utility that requires the network adapter that will be put into Promiscuous mode. After reviewing the documentation ESXI, he tells me to go to the 'Configuration' tab, but this tab is missing.

  Is it possible for me to configure my NIC as such? I called tech support and they told me here.

  I was able to download the command line tool (esxcli) and that allowed me to set promiscuous mode. It is not trivial to understand this point, but at least I got around him. For anyone else running into this problem, you can do something like this:

  To list the interfaces /ports

  esxcli - Server IPADDRESS - USER - network interface ip PASSWORD password username list

  My switch was vSwitch0 after running this.

  To check policy:

  esxcli - Server IPADDRESS - username USER - password PASSWORD policy standard vswitch network security get vSwitch0 - v

  To set the policy:

  esxcli - Server IPADDRESS - USER - password PASSWORD standard vswitch network username policy security set f m true - false true Pei - v vSwitch0

• silly question on module aip - ssm

  When the aip ssm module is in inline mode. fact the package first analyzed by the aip ssm module or it is first checked by the firewall rules if it is allowed and then sent to the aip ssm module.

  can someone throw some light on this.

  concerning

  Sushil

  All firewall rules are applied prior to sending the packets of the SSM.

  So if the package will be deleted by a firewall rule, the package will not be sent to the SSM.

  If the package will be changed by a firewall rule, then the change will be before being sent to the SSM.

  There are two exceptions, and this is the encryption and final release of the package.

  Encryption occurs after they are sent to the SSM, so SSM always sees a unencrypted traffic (where the ASA is encryption tunnel endpoint).

  And of course send the package by the SAA through external sound interfafes happens after the sending of the SSM.

  In the case of promiscuity, followed by the SSM, encryption and pass arrive just after that a copy is sent to the SSM.

  In the case of the line followed by the SSM, encryption and transmit occur only after that the SSM has completed the analysis and the package was not refused by the SSM.