Do I need two AIP - SSM modules if I'm failover configuration?

Similar Questions

• New deployment with the ASA and AIP - SSM module

  Hi guys and girls,

  I think to deploy an ASA with IPS module AIP - SSM to my perimeter. I'm going to use / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;} Cisco IPS Manager Express (IME) to monitor the IP addresses to monitor the ASA. I have no plans on deploying a device IDS.

  Question: The IME is designed to send notices to the subject of threats? What are some of the configurations in your network? (Just prick with the last question.)

  THX...

  IME is designed only for IPS monitor (whether it be IPS appliance, module AIP - SSM on ASA or other module IPS). IME is not able on the control of ASA.

  EMI can provide advice by email about events which are fires on the IPS, while the IPS itself cannot. EMI may also keep all the events triggered by the IPS, while SPI buffer is small enough, that so if you have huge demonstrations, the buffer gets replaced pretty quickly.

  Here is more information about IME, if you are interested:

  http://www.Cisco.com/en/us/products/ps9610/index.html

• ASA-SSM-20 on the active failover configuration

  You can synchronize configuration between two IPS systems data?

  I have two ASA-SSM-20 (6.1.1 E3) one in each of my the SAA. Of the SAA is the shift in assets. During the configuration of the IPS module I always make these same changes also in the standby unit. Is it possible to synchronize to the top of these two survey periods, so when it is configured the other is updated?

  Thank you very much

  Unlike the SAA, there not an automatic function to preserve the configuration synchronization through SSMs 2.

  A few options:

  You can use the command copy to copy the configuration of a sensor to a ftp/scp server.

  Then use the copy on the second sensor command to copy the configuration on the second sensor. During the copy, it will ask whether to change the IP of the probe to what is in the configuration file. You will need to tell it to NOT change IP of the probe, otherwise you end up with 2 SSMs with the same IP address and are struggling to connect to them.

  Another option is to use the CSM. CSM has configuration that applies to simple sensors, but also the group configuration that can be applied across multiple sensors.

  If you have used the group configuration, then you could make one change to the configuration of the Group and apply it in all the sensors in the Group (you will place your SSMs 2 in the same group).

• silly question on module aip - ssm

  When the aip ssm module is in inline mode. fact the package first analyzed by the aip ssm module or it is first checked by the firewall rules if it is allowed and then sent to the aip ssm module.

  can someone throw some light on this.

  concerning

  Sushil

  All firewall rules are applied prior to sending the packets of the SSM.

  So if the package will be deleted by a firewall rule, the package will not be sent to the SSM.

  If the package will be changed by a firewall rule, then the change will be before being sent to the SSM.

  There are two exceptions, and this is the encryption and final release of the package.

  Encryption occurs after they are sent to the SSM, so SSM always sees a unencrypted traffic (where the ASA is encryption tunnel endpoint).

  And of course send the package by the SAA through external sound interfafes happens after the sending of the SSM.

  In the case of promiscuity, followed by the SSM, encryption and pass arrive just after that a copy is sent to the SSM.

  In the case of the line followed by the SSM, encryption and transmit occur only after that the SSM has completed the analysis and the package was not refused by the SSM.

• Licensing Module AIP SSM issue

  Hello

  If I put 2 AIP SSM Modeules in to a Cisco ASA 2 which are grouped, need me a new license for the firewall?  In the ASDM she complains without a valid license installed even if the firewall collects the cards and allows me to configure in CLI.

  Help please

  Yes, you do.

  AIP SSM module is independent of the SAA. Each AIP SSM module would need their own license as it relates to the AIP SSM module number.

• Question on the CSC - ssm modules and aip - ssm in the ASA5500

  Is it true that the CSC - ssm and aip - ssm modules cannot coexist in the device of ASA5500 at the same time?

  Another issue is the site of cisco using the command keyword intra-interface involving NO IPSEC TRAFFIC, there are example of config/example

  It is true that the CSC - ssm and aip - ssm modules cannot coexist in the device of ASA5500 at the same time.

  It is not a sample configuration partitions on the spot yet. However, outside the control of the same security, you must the ordinary rule of translation to pass traffic. Also, because of the dynamic nature, it allows only one-way traffic. For example:

  NAT (inside) 10 192.168.1.0 255.255.255.0

  Global interface (10 Interior)

  Global (ouotside) 10 interface (is not required however)

  Sincerely,

  ~ AJ

• AIP - SSM upgrade for ASA active / active

  Hello world!

  I need help on improving the aip - ssm modules to E4 on two s asa who are active/active state. I'll be able to do this without downtime? What are the considerations?

  AIPs are independent of the resumption of the SAA, however, the SAA can consider the status of the AIP in passage of failover, which means it can failover

  If it detects a module AIP descending on the active device.

  The best method for upgrading in this situation will be the status of active failover Setup for all groups on the SAA primary, then upgrade the AIP of the ASA high school.

  Once the agreement in principle of the school is completely updated and functional, then set all groups to be active with the ASA failover secondary.

  Then the primary AIP.

  Once the primary AIP is completely level and working, you can then restore the status of the ASAs failover, by setting the active failover for the Group on the ASAs specific you want them to be active on...

  Kind regards

• AIP - SSM in cluster

  Hello

  We have a failover cluster ASA, with 2 IPS, each in an ASA AIP - SSM. There is a way of module config mode cluster as ASA IPS, or have a configuration that is mirrored between them?

  Thank you very much.
  Better with respect to Antonello.

  Antonello;

  Configuration mirroring between the AIP-SSMs is not currently available.  You can emulate this process by copying the current configuration of the AIP - SSM active to a FTP server, change the configuration to remove the specific details of the host (IP address, etc) and then copy this configuration on the stand by AIP - SSM.

  Another option would be to invest in Cisco Security Manager (CSM) and create a shared strategy that is applied to the two AIP - SSM.

  Scott

• AIP SSM - application of physical port

  Hi all

  I have an ASA5520 with the AIP SSM module.

  I would like to get a quick check on 2 things.

  1. Module AIP-SSM MUST have a physical ethernet port plugged in order for IPS to function?
  2. Module AIP-SSM IP address must be on a different IP range like ASA5520 interfaces. ?

  Please correct me if I'm wrong.

  As I have it a deployment of ASA + AIP, but due to the imitation of physical port on our network & IP; We are not able to answer for the AIP module.

  Please notify.

  1. physical ethernet port must be plugged in and connected to the network for management purposes. To manage the AIP itself module for the GUI of IDM.

  2. No, it didn't need to be on the different range of IP addresses as the interface of the ASA. It's just another IP of your network, and it must be connected to the network via its management port (physical port located on the IAFF himself module), it may be on another subnet within your ASA interfaces.

  The only way that you can manage the AIP via the GUI (IDM) module is via its physical port. However, if you are happy to set up and manage the module AIP via command line, you can always just session through the ASA command line, however, it can be annoying AIP CLI management.

• AIP SSM w / failover

  Hi all

  I will implement an AIP SSM module with active failover / standby. Someone did this configuration? The ASA active will replicate the IPS config to forward ASA? I'm looking for documentation on the cisco site, but I have not found.

  TKS

  Unlike the ASA... SSM Modules are not replicated configs there to each other... they are treated as separate units, you must manually set time Modules

  Refer... http://www.Cisco.com/en/us/docs/security/IPS/5.1/Configuration/Guide/CLI/cliSSM.html#wpxref34736

  See if that helps!

• Inspection of traffic between hair-pinning VPN on a SAA with AIP SSM.

  Hello

  I want to deploy an ASA as a VPN endpoint and to use the AIP SSM module to inspect and provide protection for inbound traffic arriving on a VPN and start on another within the same ASA. I guess it's possible because traffic is unencrypted in the ASA State and must be intercepted by the class plan. Anyone who has done this or can anyone confirm that this will work?

  Thank you very much

  Wil Bowes

  If the ASA finishes the VPN, then indeed it can also inspect internally. The decryption happens before "module controls" for inbound traffic and the arrival of "control module" before encryption for outgoing traffic. If you can do it.

  I hope it helps.

  PK

• Backup of AIP SSM

  Hi all

  recommend the best way to save the AIP SSM Module.  is it possible to automate it?

  Thank you

  If you use Cisco Security Manager, it'll keep a copy of the working configuration that can be redeployed to a replacement sensor.

  If this isn't the case, you can always make a screenshot of the output of "show config" CLI.

  Sticky which in a spare sensor will restore your config, just like a switch or a Cisco router.

  There are a lot of scripts that are available for this for routers, edit them to change the "show run" command to "show config" would be pretty easy.

  -Bob

• What are different between the IPS and AIP - SSC and AIP - SSM?

  Dear all,

  I'm not clear about the IPS, AIP - SSC and AIP - SSM module which are different?

  Then, when we can use IP addresses?

  When we use the AIP - SSC?

  When we can use AIP - SSM?

  Thus, a different IPS and AIP - SSC and AIP - SSM material or the same material?

  Best regards

  Rechard

  AIP - SSM is an IPS Firewall ASA module.

  IPS is available in different flavors:

  -Device of the IPS 4200 series

  AIP - SSM - module IPS Firewall ASA

  -IDSM2 - IPS module on 6500 series switch

  AIM - IPS - map IPS on router IOS

  Please rate and mark post useful.

• where connect AIP - SSM 10 MODULE INTERFACE

  Hello

  We have CISCO ASA 5520 model with Module AIP - SSM 10 IPS, I'm new to IPS,

  1. I do not know where to connect from this port module (connectivity) another port it should connect to any router interface or L3?

  2. which IP address to use, it should be accessible network IP or customer?

  3 and the functioning of the IPS. ?

  with kindness is - anyone can guide me.

  Hello

  You will need the credentials of EAC by means of which you should be able to connect to www.cisco.com

  SPSP

• Module AIP - SSM hung

  Hello

  I recently confgured my module AIP-SSM-40 in my firewall that is configured in HA(Active/Standby). It was working fine. Then, I upgraded the version of the image to IPS, 2.0000 E3.

  It worked fine for a week. Then I found that the secondary firewall was in a State of secondary failure. My AIP - SSM in the secondary firewall fails.

  I couldn't connect the AIP - SSM with command session 1. Display the order watch module

  Model serial number of map mod
  --- -------------------------------------------- ------------------ -----------
  0 ASA 5520 Adaptive Security Appliance, ASA5520

  1. ASA 5500 Series Security Services Module-40 ASA-SSM-40

  MAC mod Fw Sw Version Version Version Hw address range
  --- --------------------------------- ------------ ------------ ---------------
  0 0021.a09a.d1bb for 0021.a09a.d1bf 2.0 1.0 (11) 5 8.0 (4)
  1 0023.5e15.f6c8 to 0023.5e15.f6c8 1.0 1.0 (14) 5

  The Application name of the SSM status Version of the Application of SSM mod
  --- ------------------------------ ---------------- --------------------------

  Data on the State of mod aircraft compatibility status
  --- ------------------ --------------------- -------------
  0 to Sys does not apply
  1 does not not Applicable

  at the end of the failover see command shows

  Slot 1: ASA-SSM-40 rev hw/sw (1.0 /) status (does not/high)

  I suspect module SSM is having the problem. Is it possible to recover.

  Try to stop and reset the module using this command from the ASA:

  HW-module module 1 reset