Redundant replication AIP SSM - 20 Config?

I have two ASA in a redundant configuration. Each of them has a PURPOSE SSM-20 in. If I make changes to the SSM-20 'live' is there a way to write the config more than the ASA which is in standby mode?

SSM-20 before need to have its own unique IP address or can she share address of the SSM "primary"?

NO.. configs are not replicated for SSM... CSCsb61072 has been filed for this

SSM-20 secondary cannot share primary IP address or vice versa

Tags: Cisco Security

Similar Questions

  • Replication of configuration ASA AIP - SSM

    People,

    The AIP - SSM replicates another AIP - SSM ASA/standby configuration?

    I mean, when I change the configuration on the AIP/SSM assets, will change bring replicated to the other AIP - SSM?

    Thank you

    Yes, unfortunately all the IP addresses are the same. Configuration duplicate automatically 1 unit to another.

    Please kindly marks the message as answered if you have any other question. Thank you...

  • Updated AIP-SSM-10 on ASA 5510

    Hello

    I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this.

    1. What is the version of the software on the question of the ASA?
    2. When I look in the software downloads< ips="" there="" are="" .pkg="" and="" .img="" files.="" i="" want="" to="" upgrade="" to="" 6.3(3)e4.="" do="" i="" have="" to="" re-image="" the="" ips="">
    3. AFAIK redefinition to wipe the device so I just reload the config after, right?
    4. I guess I can apply any update after going to E4?
    5. Can you give me links for this upgrade?

    see you soon

    Let me give some clarification on a few points:

    2. There is no need to recreate the image on the device using the .img file.  You can improve the mechanism of maintenance of your existing configuration using the .pkg file.  It is the recommended method for upgrading to Cisco IPS devices/modules.  The .img file to recreate the image should only be used to restore the default device.

    5 here are links for the upgrade of the probe using a .pkg file.  For updates through the IDM user interface:

    http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/IDM/idm_sensor_management.html#wp2126670

    For upgrades via the CLI:

    http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/CLI/cli_system_images.html#wp1142504

    Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3):

    6.2 (3) E4

    7.0 (4) E4

    You can go directly to each output.

    Scott

  • AIP - SSM maintenance of Configuration in Active mode Stdby

    So, I'm pretty new to the AIP - SSM but not for the ASA. It seems that very few of the AIP module configuration gets copied to the AIP Stdby, nothing else that what appears in the config of the ASA (ACL, etc.). Thus, all elements of specific configuration for the module itself must be manually reproduced on Stdby module, either entered hand or config copies moved between the two?

    Planned in the future.

  • AIP SSM and virtual devices

    I just put in place a module AIP SSM in an ASA 5520 with a unique security context.

    Do I need to configure virtual devices in this case? or I can use the VS0 default? In the documentation of the IPS, he says "You can't change the definition of signature, rules of action event or anomaly detection policies." for the default virtual sensor (VS0), which is the only virtual sensore I.

    Can someone clarify what this means? It somehow restrict the usefulness of the IPS if I do not set up a separate VS?

    Thank you very much.

    A single sensor vs0 virual is very good, especially when only a single surveillance security context.

    The statement do not change the definition of signature, event actions or policies of anomaly detection rules can be a little misleading.

    What he's trying to say, is that you cannot create ad1, regles1, and any new polcies sig1 and try to apply them to vs0. The vs0 default must use sig0, rules0 and ad0.

    If you have created a new vs1, then you can apply the new policies like sig1 and regles1 ad1 to this new vs1.

    This does NOT mean that you cannot make changes to config in sig0, rules0 and ad0.

    So feel free to make configuration changes to sig0, rules0 and ad0 to fine-tune how your vs0 should handle the traffic.

    It's just the names of politicians who cannot be changed when you use vs0.

  • AIP SSM w / failover

    Hi all

    I will implement an AIP SSM module with active failover / standby. Someone did this configuration? The ASA active will replicate the IPS config to forward ASA? I'm looking for documentation on the cisco site, but I have not found.

    TKS

    Unlike the ASA... SSM Modules are not replicated configs there to each other... they are treated as separate units, you must manually set time Modules

    Refer... http://www.Cisco.com/en/us/docs/security/IPS/5.1/Configuration/Guide/CLI/cliSSM.html#wpxref34736

    See if that helps!

  • Configuration of AIP SSM to monitor only

    Hi all

    We bought an AIP-SSM-20 for our ASA5520. Is there a way to enable the IPS feature, but not block anything, i.e. just record events? It's just to see if any legitimate business traffic will be blocked.

    Thank you!

    Jacques

    Set the ASA to send traffic to IP addresses in promiscuous mode by using the following command in a sheet of policy:

    IPS hostname(config-pmap-c) # {inline | promiscuity} {failure-closing |}

    rescue} [sensor {sensor_name | mapped_name}]

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/Getting_started/asa5500/quick/guide/aipssm.html

    Geroge

  • AIP - SSM in cluster

    Hello

    We have a failover cluster ASA, with 2 IPS, each in an ASA AIP - SSM. There is a way of module config mode cluster as ASA IPS, or have a configuration that is mirrored between them?

    Thank you very much.
    Better with respect to Antonello.

    Antonello;

    Configuration mirroring between the AIP-SSMs is not currently available.  You can emulate this process by copying the current configuration of the AIP - SSM active to a FTP server, change the configuration to remove the specific details of the host (IP address, etc) and then copy this configuration on the stand by AIP - SSM.

    Another option would be to invest in Cisco Security Manager (CSM) and create a shared strategy that is applied to the two AIP - SSM.

    Scott

  • Backup of AIP SSM

    Hi all

    recommend the best way to save the AIP SSM Module.  is it possible to automate it?

    Thank you

    If you use Cisco Security Manager, it'll keep a copy of the working configuration that can be redeployed to a replacement sensor.

    If this isn't the case, you can always make a screenshot of the output of "show config" CLI.

    Sticky which in a spare sensor will restore your config, just like a switch or a Cisco router.

    There are a lot of scripts that are available for this for routers, edit them to change the "show run" command to "show config" would be pretty easy.

    -Bob

  • Question on the CSC - ssm modules and aip - ssm in the ASA5500

    Is it true that the CSC - ssm and aip - ssm modules cannot coexist in the device of ASA5500 at the same time?

    Another issue is the site of cisco using the command keyword intra-interface involving NO IPSEC TRAFFIC, there are example of config/example

    It is true that the CSC - ssm and aip - ssm modules cannot coexist in the device of ASA5500 at the same time.

    It is not a sample configuration partitions on the spot yet. However, outside the control of the same security, you must the ordinary rule of translation to pass traffic. Also, because of the dynamic nature, it allows only one-way traffic. For example:

    NAT (inside) 10 192.168.1.0 255.255.255.0

    Global interface (10 Interior)

    Global (ouotside) 10 interface (is not required however)

    Sincerely,

    ~ AJ

  • ASA 5520 with AIP - SSM

    Dear all,

    I'm in the process of implantation of the product above of title to one of the clients.

    I am very familiar with the configuration of the firewall, but the module AIP - SSM is than I do the first time.

    Please I need your help to do the configuration.

    Is it possible by using ASDM to configure, if yes please give me the steps and procedures to complete the work

    Thanks in advance

    Swamy

    Hi S,

    Very easy:

    Connect to the ASA, activate mode and then connect to the IPS via the command "session 1".

    You are then connected to the console of the IPS. Enter the user name "cisco" and the password "cisco" and run the Setup program for the basic config (address IP etc). After that, you can either connect directly on IP addresses via a web browser or through ASDM.

    Then I recommend you read the setup guide for IP addresses that it can be very intense (configuration/tweaking signatures etc.)

    I hope this helps!

    See you soon

    JC

  • AIP - SSM 40-level question.

    Hello

    I am trying to upgrade the AIP - SSM software file 'IPS - K9 - 6.0 - 6 - E4' in 'IPS-engine-E4-req-7.0-2 '. But it is not allow.

    "Could not pass the software on the sensor.

    Level the current signature is S698. The current level of the signature must be less than S480 for this installation package. »

    So I tried to update the signature file less than S480, "IPS-GIS-S460-req-E3".

    "Can not upgrade the sensor software be"
    This update can be installed on the sensor with and the version of the 3 engine.

    The currently installed engine version is 4.

    There is no signature file in cisco downloads less S480 in version 4 engine.

    See the version

    AIP - SSM # sho version

    Application partition:

    Cisco Intrusion Prevention System, Version 6,0000 E4

    Host:

    Domain keys key1.0

    Definition of signature:

    Update of the signature S698.0 2013-02-19

    OS version: 2.4.30 - IDS-smp-bigphys

    Platform: ASA-SSM-40

    Serial number:

    License expires: November 3, 2013 UTC

    Sensor time is 3 days.

    Using 4203216896 bytes of available memory (24% of use) 1045143552

    application data using 41.4 M off 167.8 M bytes of disk space available (26% of use)

    startup is using 37.8 M off 70.5 M bytes of disk space available (57% of use)

    MainApp N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07 - 15 T 01: 15:08 - 0500 Running

    AnalysisEngine NO-NUBRA_E4_2010_MAR_24_22_44_6_0_6 (Ipsbuild) 2010-03 - 24 T 22: 47:53 - 0500 Running

    CLI N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07 - 15 T 01: 15:08 - 0500

    Upgrade history:

    * IPS - K9 - 6.0 - 6 - E4 21:14:06 UTC Wednesday, March 24, 2010

    IPS-GIS-S698-req - E4.pkg 15:44:43 UTC Sunday, February 24, 2013

    Version 1.1 - 6, 0000 E4 recovery partition

    ____________________________________________________________________________

    Any help will be much appreciated... Thanks in advance.

    Liénard

    If you try the software version Upgrade, try to use the IPS-K9-7, 0-2 - E4.pkg instead of the engine update package.

  • Cisco ASA 5510 + license + AIP - SSM

    Hello.

    I have this box.

    I have a few questions about it.

    (1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?

    (2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?

    (3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?

    (4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?

    Please help me.

    (1) you must Smartnet in order to download the software from the download from cisco.com site.

    (2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.

    (3) Yes, the basic license is OK for the AIP module.

    (4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.

    Hope that answers your questions.

  • Getting started: ASA5520 w / AIP - SSM

    I'm trying to deploy an ASA5520 to a customer. I have no problem with the piece of implementing firewall, but I don't know where to start with the piece of IPS.

    I searched a bit on the ASA55XX & AIP - SSM, but can't seem to find much on what to do with the AIP - SSM beyond the initial Setup.

    Can someone point me to some beginners IPS documentation that focuses on the AIP - SSM?

    Thank you

    Jeff

    In my view, there is a lack of documentation on how to get the IPS module to work with the ASA. It would be nice if there was a single document on how to get IPS working module with the ASA.

    Start with the documentation of the IPS. It's just on how to configure the IPS himself module. Assign an IP address for management, set the admin password, etc..

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids12/index.htm

    Then go to the documentation of the SAA on how to configure ASA to send traffic to IP addresses (via a service-policy):

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids11/cliguide/clissm.htm#wp1033926

    There is a free viewer of IPS Cisco event offering to monitor events on the IPS. It can be downloaded from the download page of the Cisco IPS software.

    Finally, read the whitepaper SAFE on the deployment of the IPS and the setting.

    http://www.Cisco.com/en/us/NetSol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801bc111.shtml

    I hope this helps. Remember messages useful rate. Thank you!

  • Help configuration AIP - SSM

    I have two questions about the AIP - SSM.

    (1) is the ACL in AIP - SSM has any type of relations to the ASA ACL?

    2) our four interfaces are all used. Is it possible to assign the SSM an IP address in the same subnet as the management interface?

    (3) should then the management interface serve as a gateway for the SSM?

    interface GigabitEthernet0/0

    nameif outside

    security-level 0

    IP address 65.x.x.1 255.255.255.0 watch 65.x.x.2

    !

    interface GigabitEthernet0/1

    nameif dmz

    security-level 50

    IP address 172.16.x.1 255.255.255.0 watch 172.16.x.2

    !

    interface GigabitEthernet0/2

    nameif inside

    security-level 100

    IP address 255.255.255.0 192.168.x.1 watch 192.168.x.2

    !

    interface GigabitEthernet0/3

    STATE/LAN failover Interface Description

    !

    interface Management0/0

    Speed 100

    full duplex

    nameif management

    security-level 100

    IP address 10.0.x.1 255.255.255.0 watch 10.0.x.2

    management only

    Here are the answers to your questions-

    (1) is the ACL in AIP - SSM has any type of relations to the ASA ACL?

    No of years) ACL on SSM is completely independent of the ACLs on the ASA.

    2) our four interfaces are all used. Is it possible to assign the SSM an IP address in the same subnet as the management interface?

    VNA) absolutely. You can assign the SSM management port IP address in the same subnet as your managemnet interface. In this way, all management traffic will remain independent of normal DATA traffic.

    (3) should then the management interface serve as a gateway for the SSM?

    VNA) you're right... :-)

    Hope that helps.

    Kind regards

    Maryse.

Maybe you are looking for