Reloading of the AIP - SSM

Similar Questions

• Cannot access the AIP SSM via ASDM

  CISCO recommendations below:

  Cannot access the AIP SSM via ASDM

  Problem:

  This error message appears on the GUI.

  Error connecting to sensor. Error Loading Sensor error

  Solution:

  Make sure that the IPS SSM management interface is up/down and check his IP address configured, default gateway and the subnet mask. It is the interface to access the software from Cisco Adaptive Security Device Manager (ASDM) on the local computer. Try to ping the address of management of IPS SSM IP interface on the local computer that you want to access the ASDM. If it is impossible to do a ping check the ACLs on the sensor

  ----------------------------------------------------------------------------------------------------------------------------------------------

  I've tried everything recommended above. I can ping the host ASDM the FW and the SSM-10 module. Well, I ping the host machine and the SSM of the ASDM. I opened as wide as possible ACL. I changed the IP addresses and masks several times. The management of the ASA port and the SSM and the PC are on the same subnet.

  A trace of package from the PC to the SSM shows that it is blocked by an ACL rule, and yet I opened wide.   I've seen this kind of problem before and it was solved by applying the double static NAT, but I don't know how to do that if all the IP addresses are on the same subnet.

  Tried everything, need help from high level.

  The IDM software that comes with ASDM does not support java 1.7. The portion of the ASDM ASA supports 1.7 but launch the IPS cmdlet works only with 1.6. The TAC enginner suggested that I use the IME (IPS Manager Express) which is available for free on the Cisco's (http://www.cisco.com/en/US/products/ps9610/tsd_products_support_general_information.html) Web site.

  I've been playing with it today, and so far it seems to work pretty well.

• The AIP - SSM to unused ASA connection interface

  Hi people,

  Perhaps, someone has already raised this issue, but I was unable to find anything relevant. We have an ASA with an unused interface (gig0/3). The sensor of the AIP - SSM is physically connected to this interface with the following IP settings:

  Sensor (192.168.2.2/30,192.168.2.1)---interface ASA (192.168.2.1/30)

  It's basically point to point connectivity, and I can reach the ASA of the sensor and the other way around.

  This design is dictated by the lack of a free port on the switch.

  Technically, it should work without any problems, but I can't seem to be able to reach the sensor. There is a switch between my PC and the sensor and the switch has the corresponding static route added. I can reach the switch sensor.

  Is there a security feature hidden I don't know that prevent communication with the sensor.

  And ACL of the sensor allows the traffic to all networks (0.0.0.0/0)

  With the sensor acl set to 0.0.0.0/0, the sensor must be allowing connectivity.

  You can use the 'View of package' command on the sensor to look at packets on the interface command and control to see if the packets are what makes the sensor.

  You say that you have a static route on your switch for the switch reach your sensor. Do you know if your PC is configured to use the switch as the computer's default router. If the PC is to use a different default router, then the other router should also the static route.

  The other possibility is that the SAA itself can be deny traffic.

  Since this is an ASA connected to the MSS interface, the traffic must be routed through the ASA. Standard firewall rules apply to this traffic. The security level of the interfaces can prevent traffic, and an ACL may be necessary in order to allow the circulation of your PC be routed to the SSM.

  NOTE: If you don't want to have to worry about roads, the other alternative is to make the network between the ASA and SSM to be an isolated network that only 2 machines know.

  You can then use PAT static to map a port on the inside of the ASA interface with the address of the SSM 443 https port and map a second port of the SAA within the interfaces to the address of the SSM SSH port.

  How your home PC would simply plug the ASA IP using these specific ports and the ASA would do the translation of port and transmit on the MSS.

  The SSM address could also be dynamically PAT would have on the SAA within the address, so SSM could start the connection to other machines on the inside network.

  Another alternative if you have addresses available on your inside network IP is to use static NAT instead of PAT. And just go forward and has the ASA statically map an IP network on IP of the SSM on the network that only the ASA and the SSM inside could know.

  In both cases the network between the ASA and SSM would not routable at, and you wouldn't have to worry of reproducing static routes anywhere.

  SIDE NOTE: A separate network for the SSM you Becase you will also need to NAT or PAT address of the SSM for the ASA to outside interface. In this way the SSM will be able to connect to Internet to download cisco.com auto updates, and/or pull overall correlation of servers cisco information. It's probably the same configuration that you would already other internal addresses, and just to be sure, you cover the SSM since you have it on a separate subnet.

• Interface of the AIP - SSM

  What is the configuration of the AIP - SSM interface indicates?

  If this indicates that trafficking of this interface will be done, then what is the purpose to divert the traffic of asa good political order.

  Thanks, hope that I have answered your questions.

• To access the AIP-SSM-10 through the ACS

  Hye,

  Please, I would like to know if you can access the AIP-SSM-10 using a Cisco ACS account.

  Thank you

  IPS module does not support authentication to the ACS server.

  Please find the only authentication method for IPS in the following document:

  http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/IDM/idm_sensor_management.html

  Hope that answers your question.

• Question of the clock of the AIP - SSM

  We have configured our AIP - SSM and synchronized with our command NTP servers.show clock shows the time corrcet in the CLI

  See the sensor clock #.
  16:42:35 GMT + 05:30 Sunday, March 28, 2010

  probe # show clock detai
  16:53:25 GMT + 05:30 Sunday, March 28, 2010
  Time source is NTP

  But the time indicated in the last TAB update shows the hour UTC. Even in my case logs are updated with the time information UTC only. I set the time zone correctly.

  

  What do I need to configure something else to update my timestamp in the event log.

  In the second version of the IPS, a new column has been added for "time sensor" in the event viewer.

• Support for hardware and signature to the AIP SSM-10

  We have a 5510 which we bought a map AIP SSM-10 for the SAA, which is already the subject of a support contract. We now want to add the hardware maintenance for the new card AIP SSM-10 as signature updates. Our Cisco provider is confirmed we will receive that updates of signature with hardware support (we tried to get a response from them since June or July now).

  Could someone let us know what is the correct part number, and so we can ask the specific option that will allow both the material cover and signature updates.

  I think it is need you

  CON-SU1-AS1A1PK9

  IPS, NBD SVC, AR ASA5510-AIP10SP-K9

  support for Cisco smartnet

• The AIP SSM mode

  I bought an ASA 5510 with module SSM for IPS get in PCI compliance. I'll implement the SSM and I don't know if I have to use online or "Promiscuous" mode to control traffic. I'm afraid I'll slow down if I do online but I don't know if the "Promiscuous" mode is sufficient to meet the PCI standards. Nobody knows who can or should be used?

  Here ya go:

  http://www.ccbootcamp.com/PCI/design-guide.PDF

  http://www.ccbootcamp.com/PCI/CISPVISA.PDF

  -brad

  http://www.ccbootcamp.com

  (please NOTE the message if it helps!)

  (Perhaps that the moderator can make this a sticky!)

• Reset password for the AIP - SSM-10

  Hello

  I have an ASA5520 with 7.2 v 2 running.

  but the IPS module spftware is 5.1

  When I tried to connect to the > session 1

  He asked me a login and a password.

  I tried the cisco and a few other combinations... but no luck.

  How to reset it? also the procedure to reset on the docs said its password resets or the cisco of the user...

  How can I be sure that the cisco of the user still exists about it or not?

  any help please?

  The only way to get the software for your module is to download via the software centre of Cisco.com. You will need a Smartnet contract or account of the BCC to access downloads.

  You'll be able to reimage the module with the 6.0 software, but it is advisable to reimage it with the most basic image. You can always switch from there!

  Information on the site is in the following document:

  http://www.Cisco.com/en/us/products/HW/vpndevc/PS4077/products_configuration_guide_book09186a008055dbb1.html

  Hope this information helps, if it does; Please note!

  Kind regards

  Michael

• Failed to update of the signing of the AIP-SSM-10

  I hope someone can help me, I am unable to get the signature autoupdate working on our ASA 5510 IPS. We have a valid support contract, our user name does not include and special characters, and I am able to download the files of signature on the site by using our BCC.

  When trying to get through Auto/cisco.com update if I get the following in the event logs each attempt update:

  evError: eventId = 1319467413849005289 = severity = error Cisco vendor

  Author:

  hostId: xxxx

  appName: mainApp

  appInstanceId: 354

  time: October 26, 2011 11:40:01 UTC offset = 60 timeZone = GMT00:00

  errorMessage: AutoUpdate exception: failed to connect HTTP [1 111] name = errSystemError

  I've included a conf 'show' and a 'facilitator stat"below.

  See the XXXXXX conf #.

  ! ------------------------------

  ! Current configuration last modified Wed Oct 26 10:48:07 2011

  ! ------------------------------

  ! Version 7.0 (6)

  ! Host:

  !     Domain keys key1.0

  ! Definition of signature:

  !     Update of the signature S604.0 2011-10-20

  ! ------------------------------

  service interface

  output

  ! ------------------------------

  authentication service

  output

  ! ------------------------------

  rules0 rules for event-action service

  output

  ! ------------------------------

  service host

  the network settings

  Host-ip 10.x.x.x/24,10.x.x.x

  hostname xxxxxx

  Telnet-option turned off

  access-list 10.x.x.x/32

  access-list 10.x.x.x/16

  access-list 10.x.x.x/32

  primary-active DNS server

  address 10.x.x.x

  output

  secondary-server DNS disabled

  tertiary-disabled DNS server

  output

  time zone settings

  offset 0

  standard time-zone-name-GMT00:00

  output

  NTP-option enabled-ntp-no authenticated

  Server NTP 10.x.x.x

  output

  Summertime-recurring option

  Summertime-zone-name GMT00:00

  Start-summertime

  last week of the month

  output

  end-summertime

  month October

  last week of the month

  output

  end-summertime

  month October

  last week of the month

  output

  output

  automatic update

  Cisco-Server enabled

  scheduling periodic-calendar option

  beginning 00:40:00

  interval 1

  output

  username xxxxxxxxxxxxxxx

  Cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

  output

  output

  output

  ! ------------------------------

  service recorder

  output

  ! ------------------------------

  network access service

  output

  ! ------------------------------

  notification services

  output

  ! ------------------------------

  Service signature-definition sig0

  output

  ! ------------------------------

  Service ssh-known-hosts

  output

  ! ------------------------------

  trust-certificates of service

  output

  ! ------------------------------

  web-server service

  output

  ! ------------------------------

  Service-ad0 anomaly detection

  output

  ! ------------------------------

  service interface external product

  output

  ! ------------------------------

  health-monitor service

  output

  ! ------------------------------

  service global correlation

  output

  ! ------------------------------

  aaa service

  output

  ! ------------------------------

  service-analysis engine

  vs0 virtual sensor

  Physics-interface GigabitEthernet0/1

  output

  output

  XXXXXX # host stat

  General statistics

  Last updated to host Config (UTC) = 27 October 2011 08:27:10

  Control device control Port = GigabitEthernet0/0

  Network statistics

  = ge0_0 link encap HWaddr 00:12:D9:48:F7:44

  = inet addr:10.x.x.x Bcast:10.x.x.x.x mask: 255.255.255.0

  = RUNNING UP BROADCAST MULTICAST MTU:1500 metric: 1

  = Dropped packets: 470106 RX errors: 0:0 overruns: 0 frame: 0

  = Dropped packets: 139322 TX errors: 0:0 overruns: 0 carrier: 0

  = collisions: 0 txqueuelen:1000

  = RX bytes: 40821181 (38.9 MiB) TX bytes: 102615325 (97.8 MiB)

  = Address: 0xbc00 memory: f8200000 of base-f8220000

  NTP statistics

  = distance refid st t when poll reach delay offset jitter

  = * time.xxxx.x 195.x.x.x 3 u 142 1024 377 1, 825 - 0.626 0.305

  = L LOCAL (0) LOCAL (0) 15 59 64 377 0.000 0.000 0.001

  = ind assID status conf scope auth condition last_event cnt

  = 1 43092 b644 Yes Yes No sys.peer 4 available

  = 2 43093 9044 Yes Yes No accessible release 4

  status = synchronized

  Memory usage

  usedBytes = 664383488

  freeBytes = 368111616

  totalBytes = 1032495104

  Statistics of Summertime

  Start = GMT00:00 03:00 Sunday, March 27, 2011

  end = GMT00:00 01:00 Sunday October 30, 2011

  Statistics of the processor

  Its use in the last 5 seconds = 51

  Its use during the last minute = 44

  Its use in the last 5 minutes = 50

  Memory statistics

  Use of memory (bytes) = 664383488

  Free MEMORY (bytes) = 368111616

  Auto Update Statistics

  lastDirectoryReadAttempt = 08:40 GMT00:00 Thursday, October 27, 2011

  = Reading directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

  = Error: Auto update an exception: failed to connect HTTP [1 111]

  lastDownloadAttempt = n/a

  lastInstallAttempt = n/a

  nextAttempt = GMT00:00 09:28 Thursday, October 27, 2011

  Auxiliary processors installed

  Thank you very much.

  Your error message indicates "HTTP connection failed."

  Management interface you can access the internet via HTTP sensor?

  You have a proxy between the sensor and the internet?

  Can you ping the sensor to open internet IP addresses (like google.com)?

  -Bob

• How to tune the signatures of the AIP-SSM-20

  Hi all

  When I connect my ASA IPS module, I see a lot of signatures with risk of HEIGHT, but they are not activated (ENABLED). I dould so it is recommended to activate all these signatures risk of UPWARD in the IPS. I think that if these signatures risk rating of the TOP, then they should all be activate to combat the threat to security. It will cause performance degradation if all are activate? or it crashes a part of legitimate traffic if all are enabled to combat the thrreat?

  I'll be very grateful for your help.

  Kind regards.

  No, it's definitely not recommended to enable all the signatures on IP addresses. It will certainly be performance degradation because it is not intended to be all activated.

  The team of Cisco IPS préactivés current signatures and twist the signatures on each update of the signature, if it is considered at high risk for security. Those who have been turned off are likely to be old signatures that are more current, at this stage unless you don't not patch your hosts to end. IPS will monitor and/or block threats however, it is always the responsibility of the administrator of the host to patch hosts. IPS will only prevent and guide you to patch the end hosts.

• AIP - SSM recreate the image in secondary ASA 5500 (failover) with virtual contexts

  Hello guys,.

  The scenario is as follows:

  2 ASA 5500 with virtual contexts for failover.

  The ASA elementary school has the work of the AIP-SSM20.

  ASA school (which is in active / standby) has its SSM20 AIP to work now and everything is in production.

  Someone tried to configure this 2nd AIP - SSM, changed the password and lost, so I tried to re - the image (without authorized passage recovery), but the connection fails on the TFTP server, where is the image of the AIP - SSM.

  Now questions, documentation Cisco re-imaging view orders under ASA #.

  but as this scenario has several virtual contexts the ASA # shell contains no IP address as you know (which I suppose is the reason why the ASA cannot download the image from the TFTP server) and switch to another context (ASA / admin #) re-imaging commands do not work (hw-module module 1... etc...).

  What is the solution? Is there documentation for it (with security contexts)?

  Thank you very much for reading ;) comment on possible solutions.

  Yes,

  Some things to keep in mind.

  (1) run 'debug module start' on the SAA before running the command "hw-module module 1 recover boot. This will show you the ROMMON of the MSS output as it tries to make the new image and you can look for any errors.

  (2) before trying to download from the SSM, first use a machine separate download tftp from your laptop. This will ensure the TFTP on your laptop works and confirm what directory (if any) that you can use as the file location.

  (3) if the tftp download does not SSM, then the SSM is unable to properly connect to your laptop. You need a crossover cable to connect your laptop to the SSM. If you have a crossover cable, then you could try to connect the MSS and your laptop to a small hub, or configure a new vlan on your switch with only 2 ports and connect the MSS and your computer laptop this vlan 2 port.

  (4) also try the download first at the end of the gateway to 0.0.0.0 since your laptop and the SSM will be on the same subnet. If this does not work then you can try a non-existent 30.0.0.4 address as gateway.

  (5) understand that the IP address that you specify for the MSS using the command "configure the hw-module module 1 recover" is just temporary for download. Once an image is installed, then sitting at the module and run the "setup" command in order to configure the permanent address you want ure on external port of the SSM. This address in the "setup" command can the same as that used in the command 'get the 1 hw-module module configure' or a completely new (as in your case). Just make sure that you connect to the network just to what address you give.

• Updated AIP-SSM-10 on ASA 5510

  Hello

  I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this.

  1. What is the version of the software on the question of the ASA?
  2. When I look in the software downloads< ips="" there="" are="" .pkg="" and="" .img="" files.="" i="" want="" to="" upgrade="" to="" 6.3(3)e4.="" do="" i="" have="" to="" re-image="" the="" ips="">
  3. AFAIK redefinition to wipe the device so I just reload the config after, right?
  4. I guess I can apply any update after going to E4?
  5. Can you give me links for this upgrade?

  see you soon

  Let me give some clarification on a few points:

  2. There is no need to recreate the image on the device using the .img file.  You can improve the mechanism of maintenance of your existing configuration using the .pkg file.  It is the recommended method for upgrading to Cisco IPS devices/modules.  The .img file to recreate the image should only be used to restore the default device.

  5 here are links for the upgrade of the probe using a .pkg file.  For updates through the IDM user interface:

  http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/IDM/idm_sensor_management.html#wp2126670

  For upgrades via the CLI:

  http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/CLI/cli_system_images.html#wp1142504

  Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3):

  6.2 (3) E4

  7.0 (4) E4

  You can go directly to each output.

  Scott

• AIP - SSM 40-level question.

  Hello

  I am trying to upgrade the AIP - SSM software file 'IPS - K9 - 6.0 - 6 - E4' in 'IPS-engine-E4-req-7.0-2 '. But it is not allow.

  "Could not pass the software on the sensor.

  Level the current signature is S698. The current level of the signature must be less than S480 for this installation package. »

  So I tried to update the signature file less than S480, "IPS-GIS-S460-req-E3".

  "Can not upgrade the sensor software be"
  This update can be installed on the sensor with and the version of the 3 engine.

  The currently installed engine version is 4.

  There is no signature file in cisco downloads less S480 in version 4 engine.

  See the version

  AIP - SSM # sho version

  Application partition:

  Cisco Intrusion Prevention System, Version 6,0000 E4

  Host:

  Domain keys key1.0

  Definition of signature:

  Update of the signature S698.0 2013-02-19

  OS version: 2.4.30 - IDS-smp-bigphys

  Platform: ASA-SSM-40

  Serial number:

  License expires: November 3, 2013 UTC

  Sensor time is 3 days.

  Using 4203216896 bytes of available memory (24% of use) 1045143552

  application data using 41.4 M off 167.8 M bytes of disk space available (26% of use)

  startup is using 37.8 M off 70.5 M bytes of disk space available (57% of use)

  MainApp N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07 - 15 T 01: 15:08 - 0500 Running

  AnalysisEngine NO-NUBRA_E4_2010_MAR_24_22_44_6_0_6 (Ipsbuild) 2010-03 - 24 T 22: 47:53 - 0500 Running

  CLI N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07 - 15 T 01: 15:08 - 0500

  Upgrade history:

  * IPS - K9 - 6.0 - 6 - E4 21:14:06 UTC Wednesday, March 24, 2010

  IPS-GIS-S698-req - E4.pkg 15:44:43 UTC Sunday, February 24, 2013

  Version 1.1 - 6, 0000 E4 recovery partition

  ____________________________________________________________________________

  Any help will be much appreciated... Thanks in advance.

  Liénard

  If you try the software version Upgrade, try to use the IPS-K9-7, 0-2 - E4.pkg instead of the engine update package.

• Getting started: ASA5520 w / AIP - SSM

  I'm trying to deploy an ASA5520 to a customer. I have no problem with the piece of implementing firewall, but I don't know where to start with the piece of IPS.

  I searched a bit on the ASA55XX & AIP - SSM, but can't seem to find much on what to do with the AIP - SSM beyond the initial Setup.

  Can someone point me to some beginners IPS documentation that focuses on the AIP - SSM?

  Thank you

  Jeff

  In my view, there is a lack of documentation on how to get the IPS module to work with the ASA. It would be nice if there was a single document on how to get IPS working module with the ASA.

  Start with the documentation of the IPS. It's just on how to configure the IPS himself module. Assign an IP address for management, set the admin password, etc..

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids12/index.htm

  Then go to the documentation of the SAA on how to configure ASA to send traffic to IP addresses (via a service-policy):

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids11/cliguide/clissm.htm#wp1033926

  There is a free viewer of IPS Cisco event offering to monitor events on the IPS. It can be downloaded from the download page of the Cisco IPS software.

  Finally, read the whitepaper SAFE on the deployment of the IPS and the setting.

  http://www.Cisco.com/en/us/NetSol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801bc111.shtml

  I hope this helps. Remember messages useful rate. Thank you!