do not get traffic of ASA AIP-SSM-20.

Similar Questions

• Physical connectivity of ASA AIP - SSM

  How the physical connectivity of ASA AIP - SSM should be in the case of inline interface mode of inspection for all interfaces of the firewall. ?

  Rgds.

  Assuming that 'interface_policy' has "inline ips" in the policy, then yes your configuration is correct.

  Keep in mind that 'GigabitEthernet0/1' being assigned to vs0 is the background interface of basket of the MSS itself and should not be confused with the external interface GigabitEthernet0/1 of the SAA.

  As for using several virtual probes, it is a personal choice.

  When you use an ASA with just a single context, then usually a single virtual sensor is sufficient. It's only when you want to follow for traffic coming from firewall interfaces (or different classes of traffic) If you want to use several different virtual devices.

  However, when you use an ASA with multiple security contexts, then it is usually a good idea to go and use a virtual sensor separate from the context of the ASA.

  If you choose to use several virtual devices, you must understand that the background basket interface GigabitEthernet0/1 are only awarded to only 1 virtual sensors.

  Here is an explanation of how the other virtual sensors would get traffic:

  When packets are sent to DFS for monitoring ASA, ASA includes a special header in each packet. Special information such as the framework of the SAA whence the package, the real and NAT/PAT package addresses, and a few other things. An important field of this header is for the virtual sensor. He tells the SSM which virtual sensor must monitor this package.

  When the ASA is configured without using the names of virtual sensor, this is a virtual sensor in the package header field is blank. If the SSM sees a package with the field left blank it will check the DFS configuration to see which virtual sensor GigabitEthernet0/1 of the SSM has been assigned and that sends the packets to the virtual sensor.

  If ASA has been configured to send the packet to a specific virtual sensor (be it by adding the name of virtual sensor at the end of the "inline ips" entered configuration or by using the configuration entries "allocate ips" in the context of system configuration) then the ASA will include the virtual sensor in the header of the packet. The SSM will read in this area, and instead to send the virtual sensor where Gig0/1 is assigned, it will rather send to virtual sensor specified in the header of the packet.

  Indeed, it overrides the assignment Gig0/1 and will lead to what ever virtual sensor has been specified by the configuration of the SAA.

• The ACE IPS Cisco and Cisco ASA AIP - SSM (IPS)

  Is there a difference between the features offered by the Cisco ACE IPS and Cisco ASA AIP - SSM (IPS) devices?

  Can we do without Cisco ASA AIP - SSM (IPS) of 'only' configuration/implementation Cisco ACE IPS.

  Cisco AVS/ACE emphasis on commissioning and to secure web-based applications. IP addresses do not focus on just the web applications and trying to get the multiple layers of the OSI stack. Consider the IPS as a general practitioner and the ACE/AVS as an eye surgeon, or something :)

  Here is the response from Cisco itself:

  http://www.Cisco.com/en/us/prod/collateral/modules/ps2706/ps6906/prod_qas0900aecd8045867c_ps6492_Products_Q_and_A_Item.html

  Q: how is Cisco AVS Firewall application differs from an intrusion prevention system (IPS)?

  A. IPSs are solid solutions of protection against targeted attacks of known vulnerabilities in major platforms such as Windows, Solaris, Apache or Microsoft Internet Information Services (IIS). Cisco AVS excels to protect against targeted attacks Web sites or enterprise applications. These applications can be built custom internal applications or software vendor. Signatures and security patches are generally not available for these types of applications, and building these security levels in each application, it would be almost impossible.

  Q: how is Cisco AVS Firewall application differs by a network firewall?

  A. The Cisco AVS 3120 and Firewall network such as the Firewall of Cisco PIX® and Cisco ASA 5500 Series Adaptive Security appliances are complementary products. The application Cisco AVS Firewall secures Web applications; excellent network in the network security firewall. and the Cisco AVS provides defense in depth for Web applications.

  Firewall network apply policy networks, IP addresses and ports; they have a wide range of application for many different protocols layer features. The firewall can and will be deployed in many locations, including the edge, edge of the enterprise network, branch, etc. Cisco AVS imposed the policy on data HTTP as URL, headers and parameters. Cisco AVS is deployed in the data center in front of Web applications

  Concerning

  Farrukh

• Block P2P software using the ASA-AIP-SSM-20 module

  Hello

  I have a question about blocking P2P traffic on ASA AIP module. I've searched the forums and all I could find were solutions using regex, port block, MPF, but no example of implementation of AIP.

  Could someone point me in the right direction please?

  Thank you very much

  Martin

  Hello

  You can find all the associated p2p signatures in:

  http://Tools.Cisco.com/Security/Center/home.x

  A search using Signatures, p2p, all. Then, you can set the respective signatures to your needs.

  SPSP

• (ASA) AIP - SSM 10 Inline; Supreme events?

  A 5520 ASA with SSM-10 GOAL is set to inline mode, but the events of the show for 2 hours (sensor > HS event past 02:00) of the Interior of the sensor shows and "promicuous mode", "left promicuous mode'."

  This AIP SSM - 10 has only one gig0/0 and gig0/1 where o/o is taken out of service and a value default virtual sensor (vs0) is assigned to gig0/1. I see the statistics (sensor > sh SEO-engine of analysis) to gig0/1 so I collect statistics.

  If the configuration of the ASA 5520 has the following policy of inline and events log shows that enter and exit in promiscuous mode so how do I check if I am inspection/recovery in inline mode?

  (ASA > sh run access-list IPS)

  IPS list extended access permitted ip DMZ 255.255.255.0 26.26.1.0 255.255.255.0

  (ASA > sh run | b class-map)

  class-map IPS

  corresponds to the IP access list

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  inspect the waas

  inspect the icmp

  class IPS

  IPS inline help

  !

  global service-policy global_policy

  (sensor > sh interfaces)

  ...

  Statistics interface GigabitEthernet0/1 MAC

  Function of interface = interface detection

  Description =

  Support type = backplane

  By default Vlan = 0

  Inline = unpaired mode

  Pair of status = n/a

  Circumvention of Capable hardware = no.

  Twin derivation material = n/a

  Link status = upwards

  Link speed = Auto_1000

  Link Duplex = Auto_Full

  Lack of Packet percentage = 0

  Total packets received = 95044

  Total number of bytes received = 8715230

  Total multicast packets received = 0

  Total of broadcast packets received = 0

  Total fat packets received = 0

  Total sousdimensionnés packets received = 0

  Receive the total errors = 0

  Receive FIFO overruns total = 0

  Total packets transmitted = 95044

  Total number of bytes sent = 9047702

  Total multicast packets sent = 0

  Total broadcast packets sent = 0

  Total fat transmitted packets = 0

  Total packets transmitted sousdimensionnés = 0

  Total transmit errors = 0

  Total transmit FIFO overruns = 0

  sensor > sh events last 02:00

  evStatus: eventId = 1203360411830836145 = Cisco vendor

  Author:

  login host: ASA2_IPS

  appName: kernel

  appInstanceId:

  time: 2008-02-20 19:01:46 2008/02/20 19:01:46 UTC

  syslogMessage:

  Description: device ge0_1 entered promiscuous mode

  evStatus: eventId = 1203360411830836146 = Cisco vendor

  Author:

  login host: ASA2_IPS

  appName: kernel

  appInstanceId:

  time: 2008-02-20 19:01:53 2008/02/20 19:01:53 UTC

  syslogMessage:

  Description: the promiscuous mode device ge0_1 left

  The left State events and entered promiscuous mode are usually generated when you do a 'package of display' or 'the capture of packets' command on the CLI of the sensor.

  Track order of the package is promiscuity but is independent of promiscuity or inline followed by analysis of the probe engine.

  If you have inline monitoring using the probe analysis engine.

  And still make command package to the cli for your own monitoring promiscuity of those same packets. Here are 2 independent monitors of the same packages.

  If I remember right inline monitored packets always get returned to the ASA (unless expressly denied), which is not promiscuous packets. So check sensors gig0/1 interface statistics and the number of packets for transmission. If receive and transmit accounts are quite close, then packets are monitored by the analytical engine InLine. If the number of transmission is nil or very low then the packets are likely promiscuous monitored.

  With the configuration of your ASA you are correctly configured for online tracking.

  So I don't think that you are investigating inline, and status messages are specific to your start and stop of the command 'package' on the CLI for your own independent viewing packages promiscuity.

• Getting started: ASA5520 w / AIP - SSM

  I'm trying to deploy an ASA5520 to a customer. I have no problem with the piece of implementing firewall, but I don't know where to start with the piece of IPS.

  I searched a bit on the ASA55XX & AIP - SSM, but can't seem to find much on what to do with the AIP - SSM beyond the initial Setup.

  Can someone point me to some beginners IPS documentation that focuses on the AIP - SSM?

  Thank you

  Jeff

  In my view, there is a lack of documentation on how to get the IPS module to work with the ASA. It would be nice if there was a single document on how to get IPS working module with the ASA.

  Start with the documentation of the IPS. It's just on how to configure the IPS himself module. Assign an IP address for management, set the admin password, etc..

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids12/index.htm

  Then go to the documentation of the SAA on how to configure ASA to send traffic to IP addresses (via a service-policy):

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids11/cliguide/clissm.htm#wp1033926

  There is a free viewer of IPS Cisco event offering to monitor events on the IPS. It can be downloaded from the download page of the Cisco IPS software.

  Finally, read the whitepaper SAFE on the deployment of the IPS and the setting.

  http://www.Cisco.com/en/us/NetSol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801bc111.shtml

  I hope this helps. Remember messages useful rate. Thank you!

• ASA - AIP - SSM design review

  Hello

  If anyone can offer you please, you will enjoy

  We have 2 ASA 5520 with SSM modules in. behind ASA is a CSS load balancer. This load balancer have ssl and ssl certificate installed module. communication from the internet to the VIP loadbalancer is SSL, the SSM module configured to control communication is limited because everythng is encrypted.

  communication between the LB farm and the server is not encryted, but there is no IPS inbetween. can you suggest if someone used the design below

  int 1 (public) - ASA1 - LB 1 interface (dmz) - inside (inside) ASA1 interface where all the web server resides

  Therefore, the traffic is on port 443 to the virtual IP address. Static on ASA 1forwards traffic to its dmz interface where 1 LB, then clear the 1 LB traffic goes to the inside interface where all the serverfarm web resides. by doing so, we can configure the SSM module to monitor the traffic of LB to webserverfarm since its between 2 interfaces of ASA. and also we can have access - list on ASA to allow traffic only between LB and Web servers

  This will be a concern on the performance of the ASA?

  What is a recommended design

  Thank you

  It is a valid design and it should work.

  The ASA will see traffic twice and the interface that is in front of the LB will see traffic entering the lb twice so I'm not sure that it is effective. Please check the amount of traffic will see interfaces to see if the ASAs can manage it.

  Since the LB will be the one actually pulling pages and to talk to your servers, why did you not pass by the ASA, but external users from do not by it, when speaking of LB?

  If you are worried about BACK against LB and you do not have another firewall to use so I assume that it is valid.

  I hope it helps.

  PK

• Replication of configuration ASA AIP - SSM

  People,

  The AIP - SSM replicates another AIP - SSM ASA/standby configuration?

  I mean, when I change the configuration on the AIP/SSM assets, will change bring replicated to the other AIP - SSM?

  Thank you

  Yes, unfortunately all the IP addresses are the same. Configuration duplicate automatically 1 unit to another.

  Please kindly marks the message as answered if you have any other question. Thank you...

• Rules of politics on the ASA AIP - SSM services

  Salvation of the forumers

  I have an ASA with AIP - SSM. I want to protect the LAN private outside the internet attack.

  I would check the meaning of the ACL on ASDM firewall > policy of Service rule

  1. am I right to set the source: external interface, destination: 172.16.0.2

  or 2. destination value: 10.10.0.0 / 16

  Thank you

  Noel

  To respond to your request in simple just do your Service policy with the IP address that is seen by the firewall. If the IP address 10.10.0.0/16 are natted on the router with 172.16.0.2, then all IP addresses, hit on the firewall will be 172.16.0.2 so make your destination with 172.16.0.2 else if the natting is on the firewall for 10.10.0.0/16 then point the destination to 10.10.0.0/16.

• Cisco ASA aip - ssm signature update

  Hello

  Is it possible to dynamically update the signatures directly from Cisco IPS? I can only find configuration guides where the IPS module queries an internal server...?

  Thank you

  Ash

  Yes, you can update IPS signature directly from cisco.com if you run IPS version 6.1 and higher.

  This is the configuration for your reference doc:

  http://www.Cisco.com/en/us/docs/security/IPS/6.1/Configuration/Guide/IDM/idm_sensor_management.html#wp2182927

• AIP - SSM in cluster

  Hello

  We have a failover cluster ASA, with 2 IPS, each in an ASA AIP - SSM. There is a way of module config mode cluster as ASA IPS, or have a configuration that is mirrored between them?

  Thank you very much.
  Better with respect to Antonello.

  Antonello;

  Configuration mirroring between the AIP-SSMs is not currently available.  You can emulate this process by copying the current configuration of the AIP - SSM active to a FTP server, change the configuration to remove the specific details of the host (IP address, etc) and then copy this configuration on the stand by AIP - SSM.

  Another option would be to invest in Cisco Security Manager (CSM) and create a shared strategy that is applied to the two AIP - SSM.

  Scott

• AIP SSM-10 - how to check traffic being passed for inspection?

  Hello

  I've implemented an AIP - SSM on our ASA5510 for the first time, as a result of this excellent guide, http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml.

  The difference between the environment used in the doco and ours are the specifications of our ASA and module, the following IOS version 8.0 (4), version ASDM is 6.1 (3), the version of the application of SSM is 5,0000 E2.

  I have followed all the steps to enable connectivity to the module of the ASDM, created the access list to allow all ip traffic to be transmitted to the inspection module, map of the class and the political map indicating promiscous mode, relief. The service policy is applied throughout the world.

  The problem I'm having is that when I try to check as indicated on the guide to the alert of events see the command on the CLI module I don't get any output, so I don't know if the traffic is passed to the module. Can someone plese help me clarify this?

  Kind regards

  Esteban

  Run 'show conf' on your AIP SSM CLI. Check interface GigabitEthernet0/1 basket of the MSS background assigned to sensor virtual vs0.

  If it does not, then run "setup" and towards the end of the installation wizard, there will be an option to change the interface and the virtual sensor configuration. Use this option to change the configuration for sensor virtual vs0 and in the interface.

  You can also run "show stat vs0 virtual sensor" to see the number of packets being crawled by vs0.

• AIP - SSM recreate the image in secondary ASA 5500 (failover) with virtual contexts

  Hello guys,.

  The scenario is as follows:

  2 ASA 5500 with virtual contexts for failover.

  The ASA elementary school has the work of the AIP-SSM20.

  ASA school (which is in active / standby) has its SSM20 AIP to work now and everything is in production.

  Someone tried to configure this 2nd AIP - SSM, changed the password and lost, so I tried to re - the image (without authorized passage recovery), but the connection fails on the TFTP server, where is the image of the AIP - SSM.

  Now questions, documentation Cisco re-imaging view orders under ASA #.

  but as this scenario has several virtual contexts the ASA # shell contains no IP address as you know (which I suppose is the reason why the ASA cannot download the image from the TFTP server) and switch to another context (ASA / admin #) re-imaging commands do not work (hw-module module 1... etc...).

  What is the solution? Is there documentation for it (with security contexts)?

  Thank you very much for reading ;) comment on possible solutions.

  Yes,

  Some things to keep in mind.

  (1) run 'debug module start' on the SAA before running the command "hw-module module 1 recover boot. This will show you the ROMMON of the MSS output as it tries to make the new image and you can look for any errors.

  (2) before trying to download from the SSM, first use a machine separate download tftp from your laptop. This will ensure the TFTP on your laptop works and confirm what directory (if any) that you can use as the file location.

  (3) if the tftp download does not SSM, then the SSM is unable to properly connect to your laptop. You need a crossover cable to connect your laptop to the SSM. If you have a crossover cable, then you could try to connect the MSS and your laptop to a small hub, or configure a new vlan on your switch with only 2 ports and connect the MSS and your computer laptop this vlan 2 port.

  (4) also try the download first at the end of the gateway to 0.0.0.0 since your laptop and the SSM will be on the same subnet. If this does not work then you can try a non-existent 30.0.0.4 address as gateway.

  (5) understand that the IP address that you specify for the MSS using the command "configure the hw-module module 1 recover" is just temporary for download. Once an image is installed, then sitting at the module and run the "setup" command in order to configure the permanent address you want ure on external port of the SSM. This address in the "setup" command can the same as that used in the command 'get the 1 hw-module module configure' or a completely new (as in your case). Just make sure that you connect to the network just to what address you give.

• The AIP - SSM to unused ASA connection interface

  Hi people,

  Perhaps, someone has already raised this issue, but I was unable to find anything relevant. We have an ASA with an unused interface (gig0/3). The sensor of the AIP - SSM is physically connected to this interface with the following IP settings:

  Sensor (192.168.2.2/30,192.168.2.1)---interface ASA (192.168.2.1/30)

  It's basically point to point connectivity, and I can reach the ASA of the sensor and the other way around.

  This design is dictated by the lack of a free port on the switch.

  Technically, it should work without any problems, but I can't seem to be able to reach the sensor. There is a switch between my PC and the sensor and the switch has the corresponding static route added. I can reach the switch sensor.

  Is there a security feature hidden I don't know that prevent communication with the sensor.

  And ACL of the sensor allows the traffic to all networks (0.0.0.0/0)

  With the sensor acl set to 0.0.0.0/0, the sensor must be allowing connectivity.

  You can use the 'View of package' command on the sensor to look at packets on the interface command and control to see if the packets are what makes the sensor.

  You say that you have a static route on your switch for the switch reach your sensor. Do you know if your PC is configured to use the switch as the computer's default router. If the PC is to use a different default router, then the other router should also the static route.

  The other possibility is that the SAA itself can be deny traffic.

  Since this is an ASA connected to the MSS interface, the traffic must be routed through the ASA. Standard firewall rules apply to this traffic. The security level of the interfaces can prevent traffic, and an ACL may be necessary in order to allow the circulation of your PC be routed to the SSM.

  NOTE: If you don't want to have to worry about roads, the other alternative is to make the network between the ASA and SSM to be an isolated network that only 2 machines know.

  You can then use PAT static to map a port on the inside of the ASA interface with the address of the SSM 443 https port and map a second port of the SAA within the interfaces to the address of the SSM SSH port.

  How your home PC would simply plug the ASA IP using these specific ports and the ASA would do the translation of port and transmit on the MSS.

  The SSM address could also be dynamically PAT would have on the SAA within the address, so SSM could start the connection to other machines on the inside network.

  Another alternative if you have addresses available on your inside network IP is to use static NAT instead of PAT. And just go forward and has the ASA statically map an IP network on IP of the SSM on the network that only the ASA and the SSM inside could know.

  In both cases the network between the ASA and SSM would not routable at, and you wouldn't have to worry of reproducing static routes anywhere.

  SIDE NOTE: A separate network for the SSM you Becase you will also need to NAT or PAT address of the SSM for the ASA to outside interface. In this way the SSM will be able to connect to Internet to download cisco.com auto updates, and/or pull overall correlation of servers cisco information. It's probably the same configuration that you would already other internal addresses, and just to be sure, you cover the SSM since you have it on a separate subnet.

• New deployment with the ASA and AIP - SSM module

  Hi guys and girls,

  I think to deploy an ASA with IPS module AIP - SSM to my perimeter. I'm going to use / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;} Cisco IPS Manager Express (IME) to monitor the IP addresses to monitor the ASA. I have no plans on deploying a device IDS.

  Question: The IME is designed to send notices to the subject of threats? What are some of the configurations in your network? (Just prick with the last question.)

  THX...

  IME is designed only for IPS monitor (whether it be IPS appliance, module AIP - SSM on ASA or other module IPS). IME is not able on the control of ASA.

  EMI can provide advice by email about events which are fires on the IPS, while the IPS itself cannot. EMI may also keep all the events triggered by the IPS, while SPI buffer is small enough, that so if you have huge demonstrations, the buffer gets replaced pretty quickly.

  Here is more information about IME, if you are interested:

  http://www.Cisco.com/en/us/products/ps9610/index.html