Redundant replication AIP SSM - 20 Config?
I have two ASA in a redundant configuration. Each of them has a PURPOSE SSM-20 in. If I make changes to the SSM-20 'live' is there a way to write the config more than the ASA which is in standby mode?
SSM-20 before need to have its own unique IP address or can she share address of the SSM "primary"?
NO.. configs are not replicated for SSM... CSCsb61072 has been filed for this
SSM-20 secondary cannot share primary IP address or vice versa
Tags: Cisco Security
Similar Questions
-
Replication of configuration ASA AIP - SSM
People,
The AIP - SSM replicates another AIP - SSM ASA/standby configuration?
I mean, when I change the configuration on the AIP/SSM assets, will change bring replicated to the other AIP - SSM?
Thank you
Yes, unfortunately all the IP addresses are the same. Configuration duplicate automatically 1 unit to another.
Please kindly marks the message as answered if you have any other question. Thank you...
-
Updated AIP-SSM-10 on ASA 5510
Hello
I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this.
- What is the version of the software on the question of the ASA?
- When I look in the software downloads< ips="" there="" are="" .pkg="" and="" .img="" files.="" i="" want="" to="" upgrade="" to="" 6.3(3)e4.="" do="" i="" have="" to="" re-image="" the="" ips="">
- AFAIK redefinition to wipe the device so I just reload the config after, right?
- I guess I can apply any update after going to E4?
- Can you give me links for this upgrade?
see you soon
Let me give some clarification on a few points:
2. There is no need to recreate the image on the device using the .img file. You can improve the mechanism of maintenance of your existing configuration using the .pkg file. It is the recommended method for upgrading to Cisco IPS devices/modules. The .img file to recreate the image should only be used to restore the default device.
5 here are links for the upgrade of the probe using a .pkg file. For updates through the IDM user interface:
For upgrades via the CLI:
Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3):
6.2 (3) E4
7.0 (4) E4
You can go directly to each output.
Scott
-
AIP - SSM maintenance of Configuration in Active mode Stdby
So, I'm pretty new to the AIP - SSM but not for the ASA. It seems that very few of the AIP module configuration gets copied to the AIP Stdby, nothing else that what appears in the config of the ASA (ACL, etc.). Thus, all elements of specific configuration for the module itself must be manually reproduced on Stdby module, either entered hand or config copies moved between the two?
Planned in the future.
-
I just put in place a module AIP SSM in an ASA 5520 with a unique security context.
Do I need to configure virtual devices in this case? or I can use the VS0 default? In the documentation of the IPS, he says "You can't change the definition of signature, rules of action event or anomaly detection policies." for the default virtual sensor (VS0), which is the only virtual sensore I.
Can someone clarify what this means? It somehow restrict the usefulness of the IPS if I do not set up a separate VS?
Thank you very much.
A single sensor vs0 virual is very good, especially when only a single surveillance security context.
The statement do not change the definition of signature, event actions or policies of anomaly detection rules can be a little misleading.
What he's trying to say, is that you cannot create ad1, regles1, and any new polcies sig1 and try to apply them to vs0. The vs0 default must use sig0, rules0 and ad0.
If you have created a new vs1, then you can apply the new policies like sig1 and regles1 ad1 to this new vs1.
This does NOT mean that you cannot make changes to config in sig0, rules0 and ad0.
So feel free to make configuration changes to sig0, rules0 and ad0 to fine-tune how your vs0 should handle the traffic.
It's just the names of politicians who cannot be changed when you use vs0.
-
Hi all
I will implement an AIP SSM module with active failover / standby. Someone did this configuration? The ASA active will replicate the IPS config to forward ASA? I'm looking for documentation on the cisco site, but I have not found.
TKS
Unlike the ASA... SSM Modules are not replicated configs there to each other... they are treated as separate units, you must manually set time Modules
Refer... http://www.Cisco.com/en/us/docs/security/IPS/5.1/Configuration/Guide/CLI/cliSSM.html#wpxref34736
See if that helps!
-
Configuration of AIP SSM to monitor only
Hi all
We bought an AIP-SSM-20 for our ASA5520. Is there a way to enable the IPS feature, but not block anything, i.e. just record events? It's just to see if any legitimate business traffic will be blocked.
Thank you!
Jacques
Set the ASA to send traffic to IP addresses in promiscuous mode by using the following command in a sheet of policy:
IPS hostname(config-pmap-c) # {inline | promiscuity} {failure-closing |}
rescue} [sensor {sensor_name | mapped_name}]
http://www.Cisco.com/en/us/docs/security/ASA/asa80/Getting_started/asa5500/quick/guide/aipssm.html
Geroge
-
Hello
We have a failover cluster ASA, with 2 IPS, each in an ASA AIP - SSM. There is a way of module config mode cluster as ASA IPS, or have a configuration that is mirrored between them?
Thank you very much.
Better with respect to Antonello.Antonello;
Configuration mirroring between the AIP-SSMs is not currently available. You can emulate this process by copying the current configuration of the AIP - SSM active to a FTP server, change the configuration to remove the specific details of the host (IP address, etc) and then copy this configuration on the stand by AIP - SSM.
Another option would be to invest in Cisco Security Manager (CSM) and create a shared strategy that is applied to the two AIP - SSM.
Scott
-
Hi all
recommend the best way to save the AIP SSM Module. is it possible to automate it?
Thank you
If you use Cisco Security Manager, it'll keep a copy of the working configuration that can be redeployed to a replacement sensor.
If this isn't the case, you can always make a screenshot of the output of "show config" CLI.
Sticky which in a spare sensor will restore your config, just like a switch or a Cisco router.
There are a lot of scripts that are available for this for routers, edit them to change the "show run" command to "show config" would be pretty easy.
-Bob
-
Question on the CSC - ssm modules and aip - ssm in the ASA5500
Is it true that the CSC - ssm and aip - ssm modules cannot coexist in the device of ASA5500 at the same time?
Another issue is the site of cisco using the command keyword intra-interface involving NO IPSEC TRAFFIC, there are example of config/example
It is true that the CSC - ssm and aip - ssm modules cannot coexist in the device of ASA5500 at the same time.
It is not a sample configuration partitions on the spot yet. However, outside the control of the same security, you must the ordinary rule of translation to pass traffic. Also, because of the dynamic nature, it allows only one-way traffic. For example:
NAT (inside) 10 192.168.1.0 255.255.255.0
Global interface (10 Interior)
Global (ouotside) 10 interface (is not required however)
Sincerely,
~ AJ
-
Dear all,
I'm in the process of implantation of the product above of title to one of the clients.
I am very familiar with the configuration of the firewall, but the module AIP - SSM is than I do the first time.
Please I need your help to do the configuration.
Is it possible by using ASDM to configure, if yes please give me the steps and procedures to complete the work
Thanks in advance
Swamy
Hi S,
Very easy:
Connect to the ASA, activate mode and then connect to the IPS via the command "session 1".
You are then connected to the console of the IPS. Enter the user name "cisco" and the password "cisco" and run the Setup program for the basic config (address IP etc). After that, you can either connect directly on IP addresses via a web browser or through ASDM.
Then I recommend you read the setup guide for IP addresses that it can be very intense (configuration/tweaking signatures etc.)
I hope this helps!
See you soon
JC
-
AIP - SSM 40-level question.
Hello
I am trying to upgrade the AIP - SSM software file 'IPS - K9 - 6.0 - 6 - E4' in 'IPS-engine-E4-req-7.0-2 '. But it is not allow.
"Could not pass the software on the sensor.
Level the current signature is S698. The current level of the signature must be less than S480 for this installation package. »
So I tried to update the signature file less than S480, "IPS-GIS-S460-req-E3".
"Can not upgrade the sensor software be"
This update can be installed on the sensor with and the version of the 3 engine.The currently installed engine version is 4.
There is no signature file in cisco downloads less S480 in version 4 engine.
See the version
AIP - SSM # sho version
Application partition:
Cisco Intrusion Prevention System, Version 6,0000 E4
Host:
Domain keys key1.0
Definition of signature:
Update of the signature S698.0 2013-02-19
OS version: 2.4.30 - IDS-smp-bigphys
Platform: ASA-SSM-40
Serial number:
License expires: November 3, 2013 UTC
Sensor time is 3 days.
Using 4203216896 bytes of available memory (24% of use) 1045143552
application data using 41.4 M off 167.8 M bytes of disk space available (26% of use)
startup is using 37.8 M off 70.5 M bytes of disk space available (57% of use)
MainApp N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07 - 15 T 01: 15:08 - 0500 Running
AnalysisEngine NO-NUBRA_E4_2010_MAR_24_22_44_6_0_6 (Ipsbuild) 2010-03 - 24 T 22: 47:53 - 0500 Running
CLI N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07 - 15 T 01: 15:08 - 0500
Upgrade history:
* IPS - K9 - 6.0 - 6 - E4 21:14:06 UTC Wednesday, March 24, 2010
IPS-GIS-S698-req - E4.pkg 15:44:43 UTC Sunday, February 24, 2013
Version 1.1 - 6, 0000 E4 recovery partition
____________________________________________________________________________
Any help will be much appreciated... Thanks in advance.
Liénard
If you try the software version Upgrade, try to use the IPS-K9-7, 0-2 - E4.pkg instead of the engine update package.
-
Cisco ASA 5510 + license + AIP - SSM
Hello.
I have this box.
I have a few questions about it.
(1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?
(2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?
(3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?
(4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?
Please help me.
(1) you must Smartnet in order to download the software from the download from cisco.com site.
(2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.
(3) Yes, the basic license is OK for the AIP module.
(4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.
Hope that answers your questions.
-
Getting started: ASA5520 w / AIP - SSM
I'm trying to deploy an ASA5520 to a customer. I have no problem with the piece of implementing firewall, but I don't know where to start with the piece of IPS.
I searched a bit on the ASA55XX & AIP - SSM, but can't seem to find much on what to do with the AIP - SSM beyond the initial Setup.
Can someone point me to some beginners IPS documentation that focuses on the AIP - SSM?
Thank you
Jeff
In my view, there is a lack of documentation on how to get the IPS module to work with the ASA. It would be nice if there was a single document on how to get IPS working module with the ASA.
Start with the documentation of the IPS. It's just on how to configure the IPS himself module. Assign an IP address for management, set the admin password, etc..
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids12/index.htm
Then go to the documentation of the SAA on how to configure ASA to send traffic to IP addresses (via a service-policy):
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids11/cliguide/clissm.htm#wp1033926
There is a free viewer of IPS Cisco event offering to monitor events on the IPS. It can be downloaded from the download page of the Cisco IPS software.
Finally, read the whitepaper SAFE on the deployment of the IPS and the setting.
I hope this helps. Remember messages useful rate. Thank you!
-
I have two questions about the AIP - SSM.
(1) is the ACL in AIP - SSM has any type of relations to the ASA ACL?
2) our four interfaces are all used. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
(3) should then the management interface serve as a gateway for the SSM?
interface GigabitEthernet0/0
nameif outside
security-level 0
IP address 65.x.x.1 255.255.255.0 watch 65.x.x.2
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
IP address 172.16.x.1 255.255.255.0 watch 172.16.x.2
!
interface GigabitEthernet0/2
nameif inside
security-level 100
IP address 255.255.255.0 192.168.x.1 watch 192.168.x.2
!
interface GigabitEthernet0/3
STATE/LAN failover Interface Description
!
interface Management0/0
Speed 100
full duplex
nameif management
security-level 100
IP address 10.0.x.1 255.255.255.0 watch 10.0.x.2
management only
Here are the answers to your questions-
(1) is the ACL in AIP - SSM has any type of relations to the ASA ACL?
No of years) ACL on SSM is completely independent of the ACLs on the ASA.
2) our four interfaces are all used. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
VNA) absolutely. You can assign the SSM management port IP address in the same subnet as your managemnet interface. In this way, all management traffic will remain independent of normal DATA traffic.
(3) should then the management interface serve as a gateway for the SSM?
VNA) you're right... :-)
Hope that helps.
Kind regards
Maryse.
Maybe you are looking for
-
How safe are keychain and Keyring iCloud?
I've saved my passwords to connect the old way: with a pencil on paper. But the list becomes too long and cumbersome to use. Rather than using third-party solutions like 1Password or LastPass, I thought to use the Apple solution: Keychain. I guess th
-
Same as above. I am concerned by the help of internet explore right now. I would like your answer.
-
How to make ringtones in your iTunes songs
Is there anyway to make ringtones from iTunes. I have edited a few songs up to 30 seconds and would like to make ringtones of them. Is this possible? Brad Hansen
-
ENERGY SAVING does not work! Satellite A105
Please read very carefully, as I tried to make it as detailed as possible. I had this problem before, and when I installed the new BIOS driver, it fixed itself. I'm not so lucky this time. Also, please AVOID recommending to use my recovery CD, becaus
-
A series of satellite does not start after the BIOS update
After update bios with the downloaded utility my laptop does not start.Do you have this case covered by the warranty?