Impossible mode Inline on AIP - SSM

Similar Questions

• (ASA) AIP - SSM 10 Inline; Supreme events?

  A 5520 ASA with SSM-10 GOAL is set to inline mode, but the events of the show for 2 hours (sensor > HS event past 02:00) of the Interior of the sensor shows and "promicuous mode", "left promicuous mode'."

  This AIP SSM - 10 has only one gig0/0 and gig0/1 where o/o is taken out of service and a value default virtual sensor (vs0) is assigned to gig0/1. I see the statistics (sensor > sh SEO-engine of analysis) to gig0/1 so I collect statistics.

  If the configuration of the ASA 5520 has the following policy of inline and events log shows that enter and exit in promiscuous mode so how do I check if I am inspection/recovery in inline mode?

  (ASA > sh run access-list IPS)

  IPS list extended access permitted ip DMZ 255.255.255.0 26.26.1.0 255.255.255.0

  (ASA > sh run | b class-map)

  class-map IPS

  corresponds to the IP access list

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  inspect the waas

  inspect the icmp

  class IPS

  IPS inline help

  !

  global service-policy global_policy

  (sensor > sh interfaces)

  ...

  Statistics interface GigabitEthernet0/1 MAC

  Function of interface = interface detection

  Description =

  Support type = backplane

  By default Vlan = 0

  Inline = unpaired mode

  Pair of status = n/a

  Circumvention of Capable hardware = no.

  Twin derivation material = n/a

  Link status = upwards

  Link speed = Auto_1000

  Link Duplex = Auto_Full

  Lack of Packet percentage = 0

  Total packets received = 95044

  Total number of bytes received = 8715230

  Total multicast packets received = 0

  Total of broadcast packets received = 0

  Total fat packets received = 0

  Total sousdimensionnés packets received = 0

  Receive the total errors = 0

  Receive FIFO overruns total = 0

  Total packets transmitted = 95044

  Total number of bytes sent = 9047702

  Total multicast packets sent = 0

  Total broadcast packets sent = 0

  Total fat transmitted packets = 0

  Total packets transmitted sousdimensionnés = 0

  Total transmit errors = 0

  Total transmit FIFO overruns = 0

  sensor > sh events last 02:00

  evStatus: eventId = 1203360411830836145 = Cisco vendor

  Author:

  login host: ASA2_IPS

  appName: kernel

  appInstanceId:

  time: 2008-02-20 19:01:46 2008/02/20 19:01:46 UTC

  syslogMessage:

  Description: device ge0_1 entered promiscuous mode

  evStatus: eventId = 1203360411830836146 = Cisco vendor

  Author:

  login host: ASA2_IPS

  appName: kernel

  appInstanceId:

  time: 2008-02-20 19:01:53 2008/02/20 19:01:53 UTC

  syslogMessage:

  Description: the promiscuous mode device ge0_1 left

  The left State events and entered promiscuous mode are usually generated when you do a 'package of display' or 'the capture of packets' command on the CLI of the sensor.

  Track order of the package is promiscuity but is independent of promiscuity or inline followed by analysis of the probe engine.

  If you have inline monitoring using the probe analysis engine.

  And still make command package to the cli for your own monitoring promiscuity of those same packets. Here are 2 independent monitors of the same packages.

  If I remember right inline monitored packets always get returned to the ASA (unless expressly denied), which is not promiscuous packets. So check sensors gig0/1 interface statistics and the number of packets for transmission. If receive and transmit accounts are quite close, then packets are monitored by the analytical engine InLine. If the number of transmission is nil or very low then the packets are likely promiscuous monitored.

  With the configuration of your ASA you are correctly configured for online tracking.

  So I don't think that you are investigating inline, and status messages are specific to your start and stop of the command 'package' on the CLI for your own independent viewing packages promiscuity.

• transparent mode with AIP-SSM-20

  I currently have an ASA5510 routed with AIP-SSM-20 mode.

  It is necessary to use a connection in optical fiber between the ASA and ASA on the campus, so the AIP - SSM will need to be removed and replaced by the SSM - 4GE.  This section should present no problems.

  However, this will remove the IPS device, and I always want to use IPS.

  So what I think is to get another ASA5510, install the AIP - SSM, configure ASA for transparent and put it between the inside of the ASA routed and my local network.  The ASA transparent would be strictly works in the form of an IPS appliance.

  The installation program should look like this:

  Internal LAN <> ASA transparent with IPS <> routed ASA <> WAN

  The AIP - SSM can always perform with the ASA in transparent mode IPS?

  Is it possible to configure the ASA and AIP - SSM such as traffic to and from a particular server completely ignores the AIP - SSM?

  I have a couple of file servers which generate heavy traffic and can overload the AIP - SSM.

  Kind regards.

  AFAIR, it is no installation AIP in a transparent firewall problem.

  "The SAA in transparent mode can execute an agreement in principle.  In the event that the AIP fails,

  the IPS will fail-open and the ASA will continue to pass traffic.
  
  However, if an interface or cable fails, then traffic will stop.  You
  
  would need a failover pair to account for this failure event, which
  
  means another ASA and matching AIP."
  
  

  And no there is no problem to exclude certain hosts/ports/subnets inspection by IPS via MPF.

  http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/IPS.html#wp1050744

  What I consider however is however if the ASA 5510 as second level firewall for 5520 s will be enough.

  http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html

  HTH,

  Marcin

• ASA5510 and AIP-SSM-10 module in promiscuous mode

  Hello

  I have a 5510 ASA with the AIP-SSM-10 and want to use just like an ID in promicuous mode.

  ASA 5510: ASA version 7.0 (8)

  AIP-SSM-10: IPS version 5,0000 E2

  At this point, we would like to configure a single interface of ASA to send traffic to the agreement in principle for the inspection of IDS (and continue to use our firewalls third existing). Is this possible?

  The following discussion gives to think this isn't:

  https://supportforums.Cisco.com/message/957351

  22.1.100.2/28 I have it configured on the interface Eth0/0 (outside) and 10.5.100.3/24 on the AIP - SSM management interface and switchports (Cisco 6509) have been configured by SPAN.

  Thanks for your advice in advance.

  Kind regards

  Lay

  You are right. Unfortunately, module AIP on ASA firewall does not listen on traffic SPAN. If you want that SPAN ports, then you can use the IPS (IPS 4200 series appliance) appliance that supports the SPAN traffic to inspect.

  PIX is also a firewall, not a feature of IPS, which cannot be used as an IPS device.

• AIP - SSM maintenance of Configuration in Active mode Stdby

  So, I'm pretty new to the AIP - SSM but not for the ASA. It seems that very few of the AIP module configuration gets copied to the AIP Stdby, nothing else that what appears in the config of the ASA (ACL, etc.). Thus, all elements of specific configuration for the module itself must be manually reproduced on Stdby module, either entered hand or config copies moved between the two?

  Planned in the future.

• Physical connectivity of ASA AIP - SSM

  How the physical connectivity of ASA AIP - SSM should be in the case of inline interface mode of inspection for all interfaces of the firewall. ?

  Rgds.

  Assuming that 'interface_policy' has "inline ips" in the policy, then yes your configuration is correct.

  Keep in mind that 'GigabitEthernet0/1' being assigned to vs0 is the background interface of basket of the MSS itself and should not be confused with the external interface GigabitEthernet0/1 of the SAA.

  As for using several virtual probes, it is a personal choice.

  When you use an ASA with just a single context, then usually a single virtual sensor is sufficient. It's only when you want to follow for traffic coming from firewall interfaces (or different classes of traffic) If you want to use several different virtual devices.

  However, when you use an ASA with multiple security contexts, then it is usually a good idea to go and use a virtual sensor separate from the context of the ASA.

  If you choose to use several virtual devices, you must understand that the background basket interface GigabitEthernet0/1 are only awarded to only 1 virtual sensors.

  Here is an explanation of how the other virtual sensors would get traffic:

  When packets are sent to DFS for monitoring ASA, ASA includes a special header in each packet. Special information such as the framework of the SAA whence the package, the real and NAT/PAT package addresses, and a few other things. An important field of this header is for the virtual sensor. He tells the SSM which virtual sensor must monitor this package.

  When the ASA is configured without using the names of virtual sensor, this is a virtual sensor in the package header field is blank. If the SSM sees a package with the field left blank it will check the DFS configuration to see which virtual sensor GigabitEthernet0/1 of the SSM has been assigned and that sends the packets to the virtual sensor.

  If ASA has been configured to send the packet to a specific virtual sensor (be it by adding the name of virtual sensor at the end of the "inline ips" entered configuration or by using the configuration entries "allocate ips" in the context of system configuration) then the ASA will include the virtual sensor in the header of the packet. The SSM will read in this area, and instead to send the virtual sensor where Gig0/1 is assigned, it will rather send to virtual sensor specified in the header of the packet.

  Indeed, it overrides the assignment Gig0/1 and will lead to what ever virtual sensor has been specified by the configuration of the SAA.

• silly question on module aip - ssm

  When the aip ssm module is in inline mode. fact the package first analyzed by the aip ssm module or it is first checked by the firewall rules if it is allowed and then sent to the aip ssm module.

  can someone throw some light on this.

  concerning

  Sushil

  All firewall rules are applied prior to sending the packets of the SSM.

  So if the package will be deleted by a firewall rule, the package will not be sent to the SSM.

  If the package will be changed by a firewall rule, then the change will be before being sent to the SSM.

  There are two exceptions, and this is the encryption and final release of the package.

  Encryption occurs after they are sent to the SSM, so SSM always sees a unencrypted traffic (where the ASA is encryption tunnel endpoint).

  And of course send the package by the SAA through external sound interfafes happens after the sending of the SSM.

  In the case of promiscuity, followed by the SSM, encryption and pass arrive just after that a copy is sent to the SSM.

  In the case of the line followed by the SSM, encryption and transmit occur only after that the SSM has completed the analysis and the package was not refused by the SSM.

• Configuration of AIP SSM to monitor only

  Hi all

  We bought an AIP-SSM-20 for our ASA5520. Is there a way to enable the IPS feature, but not block anything, i.e. just record events? It's just to see if any legitimate business traffic will be blocked.

  Thank you!

  Jacques

  Set the ASA to send traffic to IP addresses in promiscuous mode by using the following command in a sheet of policy:

  IPS hostname(config-pmap-c) # {inline | promiscuity} {failure-closing |}

  rescue} [sensor {sensor_name | mapped_name}]

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/Getting_started/asa5500/quick/guide/aipssm.html

  Geroge

• AIP SSM-10 and tests

  In my lab, I have a new 5510 with AIP - SSM card.

  In my view, it is configured correctly to assess traffic, but I can't be sure.

  This is part of the configuration of the ASA:

  Global class-card class

  match any

  class-map inspection_default

  match default-inspection-traffic

  World-Policy policy-map

  class inspection_default

  inspect the ftp, etc.,

  Global category

  IPS inline help

  global service-policy global_policy

  I have a PC to a switch, go to the ASA (inside interface)

  The ASA outside interface goes to a VLAN separate on the switch.

  Both interfaces VLANS configured.

  Is there a command ping, or other traffic I can generate from PC that will throw an alert?

  I tried Ping s of a bogus address, but which did not cause an event.

  How will I know if the traffic actually crosses the ID?

  Thank you.

  Hello Jimmy

  Lass-map: global-class

  IPS: Status of card upward, inline mode rescue

  Package of 0 Packet output 0 0 drop, discount entry to zero - drop 0

  No package get the IPS module

  You have told me is assigned to virtual sensor 0 on the right side of the AIP - SSM?

• Cannot access the AIP SSM via ASDM

  CISCO recommendations below:

  Cannot access the AIP SSM via ASDM

  Problem:

  This error message appears on the GUI.

  Error connecting to sensor. Error Loading Sensor error

  Solution:

  Make sure that the IPS SSM management interface is up/down and check his IP address configured, default gateway and the subnet mask. It is the interface to access the software from Cisco Adaptive Security Device Manager (ASDM) on the local computer. Try to ping the address of management of IPS SSM IP interface on the local computer that you want to access the ASDM. If it is impossible to do a ping check the ACLs on the sensor

  ----------------------------------------------------------------------------------------------------------------------------------------------

  I've tried everything recommended above. I can ping the host ASDM the FW and the SSM-10 module. Well, I ping the host machine and the SSM of the ASDM. I opened as wide as possible ACL. I changed the IP addresses and masks several times. The management of the ASA port and the SSM and the PC are on the same subnet.

  A trace of package from the PC to the SSM shows that it is blocked by an ACL rule, and yet I opened wide.   I've seen this kind of problem before and it was solved by applying the double static NAT, but I don't know how to do that if all the IP addresses are on the same subnet.

  Tried everything, need help from high level.

  The IDM software that comes with ASDM does not support java 1.7. The portion of the ASDM ASA supports 1.7 but launch the IPS cmdlet works only with 1.6. The TAC enginner suggested that I use the IME (IPS Manager Express) which is available for free on the Cisco's (http://www.cisco.com/en/US/products/ps9610/tsd_products_support_general_information.html) Web site.

  I've been playing with it today, and so far it seems to work pretty well.

• AIP - SSM

  Hello

  Scenario of

  2 networks

  outside the network ALL

  inside the 192.168.1.0 network

  How can I simulate the work of AIP - SSM at the back of the firewall?

  My version.

  test access extended list permits all ip 192.168.1.0 255.255.255.0

  the class map test

  match name of group-access test

  the policy-map test

  the class test

  IPS inline help

  Expected that all comments

  Thank you

  Leo

  My expertise lies in the IPS and not the firewall. My knowledge of the firewall is quite limited in what it takes to get the packages to the SSM.

  SO I'm not sure what the ACL are applied before the decryption or after decryption.

  If you want to know at what stage the ACL are applied, you need post a message on the forum of firewall.

  I was just trying to show that all firewall features (whatever they are) would be on the package before sending it to the SSM with the exception of encryption and the final drive.

• The ACE IPS Cisco and Cisco ASA AIP - SSM (IPS)

  Is there a difference between the features offered by the Cisco ACE IPS and Cisco ASA AIP - SSM (IPS) devices?

  Can we do without Cisco ASA AIP - SSM (IPS) of 'only' configuration/implementation Cisco ACE IPS.

  Cisco AVS/ACE emphasis on commissioning and to secure web-based applications. IP addresses do not focus on just the web applications and trying to get the multiple layers of the OSI stack. Consider the IPS as a general practitioner and the ACE/AVS as an eye surgeon, or something :)

  Here is the response from Cisco itself:

  http://www.Cisco.com/en/us/prod/collateral/modules/ps2706/ps6906/prod_qas0900aecd8045867c_ps6492_Products_Q_and_A_Item.html

  Q: how is Cisco AVS Firewall application differs from an intrusion prevention system (IPS)?

  A. IPSs are solid solutions of protection against targeted attacks of known vulnerabilities in major platforms such as Windows, Solaris, Apache or Microsoft Internet Information Services (IIS). Cisco AVS excels to protect against targeted attacks Web sites or enterprise applications. These applications can be built custom internal applications or software vendor. Signatures and security patches are generally not available for these types of applications, and building these security levels in each application, it would be almost impossible.

  Q: how is Cisco AVS Firewall application differs by a network firewall?

  A. The Cisco AVS 3120 and Firewall network such as the Firewall of Cisco PIX® and Cisco ASA 5500 Series Adaptive Security appliances are complementary products. The application Cisco AVS Firewall secures Web applications; excellent network in the network security firewall. and the Cisco AVS provides defense in depth for Web applications.

  Firewall network apply policy networks, IP addresses and ports; they have a wide range of application for many different protocols layer features. The firewall can and will be deployed in many locations, including the edge, edge of the enterprise network, branch, etc. Cisco AVS imposed the policy on data HTTP as URL, headers and parameters. Cisco AVS is deployed in the data center in front of Web applications

  Concerning

  Farrukh

• AIP SSM-10 - how to check traffic being passed for inspection?

  Hello

  I've implemented an AIP - SSM on our ASA5510 for the first time, as a result of this excellent guide, http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml.

  The difference between the environment used in the doco and ours are the specifications of our ASA and module, the following IOS version 8.0 (4), version ASDM is 6.1 (3), the version of the application of SSM is 5,0000 E2.

  I have followed all the steps to enable connectivity to the module of the ASDM, created the access list to allow all ip traffic to be transmitted to the inspection module, map of the class and the political map indicating promiscous mode, relief. The service policy is applied throughout the world.

  The problem I'm having is that when I try to check as indicated on the guide to the alert of events see the command on the CLI module I don't get any output, so I don't know if the traffic is passed to the module. Can someone plese help me clarify this?

  Kind regards

  Esteban

  Run 'show conf' on your AIP SSM CLI. Check interface GigabitEthernet0/1 basket of the MSS background assigned to sensor virtual vs0.

  If it does not, then run "setup" and towards the end of the installation wizard, there will be an option to change the interface and the virtual sensor configuration. Use this option to change the configuration for sensor virtual vs0 and in the interface.

  You can also run "show stat vs0 virtual sensor" to see the number of packets being crawled by vs0.

• AIP-SSM-10 upgrade question

  I have an AIP-SSM-10 (IPS - K9 - 6.0 - 5 - E2) running inside an ASA (active failover mode / standby). I tried to put a signature update today (version S447, first time) and he said I need engine lvl 3 to update the signature and I am currently at lvl 2.

  Here's my question, what are the versions can I go to? I'm stuck with the versions of level 2 of the engine when using the AIP - SSM or can I put on until the next major release of 2.0000 E3. And is it really a good idea or not. What would you suggest?

  Also, I guess I would need to install the release .pkg file. Is this good?

  Thanks in advance!

  You can switch to the 5,0000 E3, 6,0000 E3 or one of the E3 7.0 images (x). You want the .pkg file.

  Mount the sensor in the CLI:

  conf t

  Update ftp://user:password@/ upgradefilename.pkg

  When the sensor complaines on the upgrade, just say 'yes' to go ahead in any case. This is a known bug, do not believe that the CLI.

• do not get traffic of ASA AIP-SSM-20.

  Hello

  We have Cisco ASA 5510, and we recently added Cisco AIP - SSM. We have configured the sensor and did as well as ASA also but we don't get newspapers in ADM please help me on this.

  Please find attached Sersor Configuration and version of the IPS and ASA module.

  Kind regards

  Nathalie. M

  On the SAA, you need

  access-list aip-acl extended deny ip any any
  
  class-map aip-class
  
  match access-list aip-acl
  
  policy-map global_policy
  
  class aip-class
  
    ips inline fail-open
  
  service-policy global_policy global

  so that it sends traffic to the agreement in principle for inspection.

  I hope it helps.

  PK