Rules of politics on the ASA AIP - SSM services

Salvation of the forumers

I have an ASA with AIP - SSM. I want to protect the LAN private outside the internet attack.

I would check the meaning of the ACL on ASDM firewall > policy of Service rule

1. am I right to set the source: external interface, destination: 172.16.0.2

or 2. destination value: 10.10.0.0 / 16

Thank you

Noel

To respond to your request in simple just do your Service policy with the IP address that is seen by the firewall. If the IP address 10.10.0.0/16 are natted on the router with 172.16.0.2, then all IP addresses, hit on the firewall will be 172.16.0.2 so make your destination with 172.16.0.2 else if the natting is on the firewall for 10.10.0.0/16 then point the destination to 10.10.0.0/16.

Tags: Cisco Security

Similar Questions

  • Block P2P software using the ASA-AIP-SSM-20 module

    Hello

    I have a question about blocking P2P traffic on ASA AIP module. I've searched the forums and all I could find were solutions using regex, port block, MPF, but no example of implementation of AIP.

    Could someone point me in the right direction please?

    Thank you very much

    Martin

    Hello

    You can find all the associated p2p signatures in:

    http://Tools.Cisco.com/Security/Center/home.x

    A search using Signatures, p2p, all. Then, you can set the respective signatures to your needs.

    SPSP

  • The ACE IPS Cisco and Cisco ASA AIP - SSM (IPS)

    Is there a difference between the features offered by the Cisco ACE IPS and Cisco ASA AIP - SSM (IPS) devices?

    Can we do without Cisco ASA AIP - SSM (IPS) of 'only' configuration/implementation Cisco ACE IPS.

    Cisco AVS/ACE emphasis on commissioning and to secure web-based applications. IP addresses do not focus on just the web applications and trying to get the multiple layers of the OSI stack. Consider the IPS as a general practitioner and the ACE/AVS as an eye surgeon, or something :)

    Here is the response from Cisco itself:

    http://www.Cisco.com/en/us/prod/collateral/modules/ps2706/ps6906/prod_qas0900aecd8045867c_ps6492_Products_Q_and_A_Item.html

    Q: how is Cisco AVS Firewall application differs from an intrusion prevention system (IPS)?

    A. IPSs are solid solutions of protection against targeted attacks of known vulnerabilities in major platforms such as Windows, Solaris, Apache or Microsoft Internet Information Services (IIS). Cisco AVS excels to protect against targeted attacks Web sites or enterprise applications. These applications can be built custom internal applications or software vendor. Signatures and security patches are generally not available for these types of applications, and building these security levels in each application, it would be almost impossible.

    Q: how is Cisco AVS Firewall application differs by a network firewall?

    A. The Cisco AVS 3120 and Firewall network such as the Firewall of Cisco PIX® and Cisco ASA 5500 Series Adaptive Security appliances are complementary products. The application Cisco AVS Firewall secures Web applications; excellent network in the network security firewall. and the Cisco AVS provides defense in depth for Web applications.

    Firewall network apply policy networks, IP addresses and ports; they have a wide range of application for many different protocols layer features. The firewall can and will be deployed in many locations, including the edge, edge of the enterprise network, branch, etc. Cisco AVS imposed the policy on data HTTP as URL, headers and parameters. Cisco AVS is deployed in the data center in front of Web applications

    Concerning

    Farrukh

  • Physical connectivity of ASA AIP - SSM

    How the physical connectivity of ASA AIP - SSM should be in the case of inline interface mode of inspection for all interfaces of the firewall. ?

    Rgds.

    Assuming that 'interface_policy' has "inline ips" in the policy, then yes your configuration is correct.

    Keep in mind that 'GigabitEthernet0/1' being assigned to vs0 is the background interface of basket of the MSS itself and should not be confused with the external interface GigabitEthernet0/1 of the SAA.

    As for using several virtual probes, it is a personal choice.

    When you use an ASA with just a single context, then usually a single virtual sensor is sufficient. It's only when you want to follow for traffic coming from firewall interfaces (or different classes of traffic) If you want to use several different virtual devices.

    However, when you use an ASA with multiple security contexts, then it is usually a good idea to go and use a virtual sensor separate from the context of the ASA.

    If you choose to use several virtual devices, you must understand that the background basket interface GigabitEthernet0/1 are only awarded to only 1 virtual sensors.

    Here is an explanation of how the other virtual sensors would get traffic:

    When packets are sent to DFS for monitoring ASA, ASA includes a special header in each packet. Special information such as the framework of the SAA whence the package, the real and NAT/PAT package addresses, and a few other things. An important field of this header is for the virtual sensor. He tells the SSM which virtual sensor must monitor this package.

    When the ASA is configured without using the names of virtual sensor, this is a virtual sensor in the package header field is blank. If the SSM sees a package with the field left blank it will check the DFS configuration to see which virtual sensor GigabitEthernet0/1 of the SSM has been assigned and that sends the packets to the virtual sensor.

    If ASA has been configured to send the packet to a specific virtual sensor (be it by adding the name of virtual sensor at the end of the "inline ips" entered configuration or by using the configuration entries "allocate ips" in the context of system configuration) then the ASA will include the virtual sensor in the header of the packet. The SSM will read in this area, and instead to send the virtual sensor where Gig0/1 is assigned, it will rather send to virtual sensor specified in the header of the packet.

    Indeed, it overrides the assignment Gig0/1 and will lead to what ever virtual sensor has been specified by the configuration of the SAA.

  • Replication of configuration ASA AIP - SSM

    People,

    The AIP - SSM replicates another AIP - SSM ASA/standby configuration?

    I mean, when I change the configuration on the AIP/SSM assets, will change bring replicated to the other AIP - SSM?

    Thank you

    Yes, unfortunately all the IP addresses are the same. Configuration duplicate automatically 1 unit to another.

    Please kindly marks the message as answered if you have any other question. Thank you...

  • (ASA) AIP - SSM 10 Inline; Supreme events?

    A 5520 ASA with SSM-10 GOAL is set to inline mode, but the events of the show for 2 hours (sensor > HS event past 02:00) of the Interior of the sensor shows and "promicuous mode", "left promicuous mode'."

    This AIP SSM - 10 has only one gig0/0 and gig0/1 where o/o is taken out of service and a value default virtual sensor (vs0) is assigned to gig0/1. I see the statistics (sensor > sh SEO-engine of analysis) to gig0/1 so I collect statistics.

    If the configuration of the ASA 5520 has the following policy of inline and events log shows that enter and exit in promiscuous mode so how do I check if I am inspection/recovery in inline mode?

    (ASA > sh run access-list IPS)

    IPS list extended access permitted ip DMZ 255.255.255.0 26.26.1.0 255.255.255.0

    (ASA > sh run | b class-map)

    class-map IPS

    corresponds to the IP access list

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    inspect the waas

    inspect the icmp

    class IPS

    IPS inline help

    !

    global service-policy global_policy

    (sensor > sh interfaces)

    ...

    Statistics interface GigabitEthernet0/1 MAC

    Function of interface = interface detection

    Description =

    Support type = backplane

    By default Vlan = 0

    Inline = unpaired mode

    Pair of status = n/a

    Circumvention of Capable hardware = no.

    Twin derivation material = n/a

    Link status = upwards

    Link speed = Auto_1000

    Link Duplex = Auto_Full

    Lack of Packet percentage = 0

    Total packets received = 95044

    Total number of bytes received = 8715230

    Total multicast packets received = 0

    Total of broadcast packets received = 0

    Total fat packets received = 0

    Total sousdimensionnés packets received = 0

    Receive the total errors = 0

    Receive FIFO overruns total = 0

    Total packets transmitted = 95044

    Total number of bytes sent = 9047702

    Total multicast packets sent = 0

    Total broadcast packets sent = 0

    Total fat transmitted packets = 0

    Total packets transmitted sousdimensionnés = 0

    Total transmit errors = 0

    Total transmit FIFO overruns = 0

    sensor > sh events last 02:00

    evStatus: eventId = 1203360411830836145 = Cisco vendor

    Author:

    login host: ASA2_IPS

    appName: kernel

    appInstanceId:

    time: 2008-02-20 19:01:46 2008/02/20 19:01:46 UTC

    syslogMessage:

    Description: device ge0_1 entered promiscuous mode

    evStatus: eventId = 1203360411830836146 = Cisco vendor

    Author:

    login host: ASA2_IPS

    appName: kernel

    appInstanceId:

    time: 2008-02-20 19:01:53 2008/02/20 19:01:53 UTC

    syslogMessage:

    Description: the promiscuous mode device ge0_1 left

    The left State events and entered promiscuous mode are usually generated when you do a 'package of display' or 'the capture of packets' command on the CLI of the sensor.

    Track order of the package is promiscuity but is independent of promiscuity or inline followed by analysis of the probe engine.

    If you have inline monitoring using the probe analysis engine.

    And still make command package to the cli for your own monitoring promiscuity of those same packets. Here are 2 independent monitors of the same packages.

    If I remember right inline monitored packets always get returned to the ASA (unless expressly denied), which is not promiscuous packets. So check sensors gig0/1 interface statistics and the number of packets for transmission. If receive and transmit accounts are quite close, then packets are monitored by the analytical engine InLine. If the number of transmission is nil or very low then the packets are likely promiscuous monitored.

    With the configuration of your ASA you are correctly configured for online tracking.

    So I don't think that you are investigating inline, and status messages are specific to your start and stop of the command 'package' on the CLI for your own independent viewing packages promiscuity.

  • do not get traffic of ASA AIP-SSM-20.

    Hello

    We have Cisco ASA 5510, and we recently added Cisco AIP - SSM. We have configured the sensor and did as well as ASA also but we don't get newspapers in ADM please help me on this.

    Please find attached Sersor Configuration and version of the IPS and ASA module.

    Kind regards

    Nathalie. M

    On the SAA, you need

    access-list aip-acl extended deny ip any any
    
class-map aip-class
    
match access-list aip-acl
    
policy-map global_policy
    
class aip-class
    
  ips inline fail-open
    
service-policy global_policy global

    so that it sends traffic to the agreement in principle for inspection.

    I hope it helps.

    PK

  • ASA - AIP - SSM design review

    Hello

    If anyone can offer you please, you will enjoy

    We have 2 ASA 5520 with SSM modules in. behind ASA is a CSS load balancer. This load balancer have ssl and ssl certificate installed module. communication from the internet to the VIP loadbalancer is SSL, the SSM module configured to control communication is limited because everythng is encrypted.

    communication between the LB farm and the server is not encryted, but there is no IPS inbetween. can you suggest if someone used the design below

    int 1 (public) - ASA1 - LB 1 interface (dmz) - inside (inside) ASA1 interface where all the web server resides

    Therefore, the traffic is on port 443 to the virtual IP address. Static on ASA 1forwards traffic to its dmz interface where 1 LB, then clear the 1 LB traffic goes to the inside interface where all the serverfarm web resides. by doing so, we can configure the SSM module to monitor the traffic of LB to webserverfarm since its between 2 interfaces of ASA. and also we can have access - list on ASA to allow traffic only between LB and Web servers

    This will be a concern on the performance of the ASA?

    What is a recommended design

    Thank you

    It is a valid design and it should work.

    The ASA will see traffic twice and the interface that is in front of the LB will see traffic entering the lb twice so I'm not sure that it is effective. Please check the amount of traffic will see interfaces to see if the ASAs can manage it.

    Since the LB will be the one actually pulling pages and to talk to your servers, why did you not pass by the ASA, but external users from do not by it, when speaking of LB?

    If you are worried about BACK against LB and you do not have another firewall to use so I assume that it is valid.

    I hope it helps.

    PK

  • Cisco ASA aip - ssm signature update

    Hello

    Is it possible to dynamically update the signatures directly from Cisco IPS? I can only find configuration guides where the IPS module queries an internal server...?

    Thank you

    Ash

    Yes, you can update IPS signature directly from cisco.com if you run IPS version 6.1 and higher.

    This is the configuration for your reference doc:

    http://www.Cisco.com/en/us/docs/security/IPS/6.1/Configuration/Guide/IDM/idm_sensor_management.html#wp2182927

  • Application of noob - says the ASA55xx & AIP SSM inspection HTTPS or SSL?

    So far, all I can find on the SAA's Inspection is an Application for the HTTP CONNECT request that transports you into the universe of HTTPS (SSL).  Sellers who can inspect SSL usually boast about and must devote at least a chapter in the User Guide for the management of the certificates and keychains.  Right now, I guess that unless traffic of penetration is from a SSL VPN Client, it won't be much inspection going on.  THX

    The reason why there is not much on the HTTPS inspection is because the device must be when you run man-in-the-middle to be able to inspect encrypted HTTPS traffic. Typically, seller who inspects for HTTPS traffic would have the certificate of the device presented to the user in order to inspect HTTPS, not the end certificate of web server traffic.

    Cisco Ironport WSA both Cisco ScanSafe supports the inspection of HTTPS web traffic for anti-malware, anti-spyware, and web filtering.

    Hope that answers your question.

  • The AIP - SSM to unused ASA connection interface

    Hi people,

    Perhaps, someone has already raised this issue, but I was unable to find anything relevant. We have an ASA with an unused interface (gig0/3). The sensor of the AIP - SSM is physically connected to this interface with the following IP settings:

    Sensor (192.168.2.2/30,192.168.2.1)---interface ASA (192.168.2.1/30)

    It's basically point to point connectivity, and I can reach the ASA of the sensor and the other way around.

    This design is dictated by the lack of a free port on the switch.

    Technically, it should work without any problems, but I can't seem to be able to reach the sensor. There is a switch between my PC and the sensor and the switch has the corresponding static route added. I can reach the switch sensor.

    Is there a security feature hidden I don't know that prevent communication with the sensor.

    And ACL of the sensor allows the traffic to all networks (0.0.0.0/0)

    With the sensor acl set to 0.0.0.0/0, the sensor must be allowing connectivity.

    You can use the 'View of package' command on the sensor to look at packets on the interface command and control to see if the packets are what makes the sensor.

    You say that you have a static route on your switch for the switch reach your sensor. Do you know if your PC is configured to use the switch as the computer's default router. If the PC is to use a different default router, then the other router should also the static route.

    The other possibility is that the SAA itself can be deny traffic.

    Since this is an ASA connected to the MSS interface, the traffic must be routed through the ASA. Standard firewall rules apply to this traffic. The security level of the interfaces can prevent traffic, and an ACL may be necessary in order to allow the circulation of your PC be routed to the SSM.

    NOTE: If you don't want to have to worry about roads, the other alternative is to make the network between the ASA and SSM to be an isolated network that only 2 machines know.

    You can then use PAT static to map a port on the inside of the ASA interface with the address of the SSM 443 https port and map a second port of the SAA within the interfaces to the address of the SSM SSH port.

    How your home PC would simply plug the ASA IP using these specific ports and the ASA would do the translation of port and transmit on the MSS.

    The SSM address could also be dynamically PAT would have on the SAA within the address, so SSM could start the connection to other machines on the inside network.

    Another alternative if you have addresses available on your inside network IP is to use static NAT instead of PAT. And just go forward and has the ASA statically map an IP network on IP of the SSM on the network that only the ASA and the SSM inside could know.

    In both cases the network between the ASA and SSM would not routable at, and you wouldn't have to worry of reproducing static routes anywhere.

    SIDE NOTE: A separate network for the SSM you Becase you will also need to NAT or PAT address of the SSM for the ASA to outside interface. In this way the SSM will be able to connect to Internet to download cisco.com auto updates, and/or pull overall correlation of servers cisco information. It's probably the same configuration that you would already other internal addresses, and just to be sure, you cover the SSM since you have it on a separate subnet.

  • Reloading of the AIP - SSM

    reload the module AIP - SSM affect the ASA?

    Exactly. If you don't have a political card by using the SSM module, then you can reload the module SSM and it does not affect the traffic passing by ASA. To give you more information, here is a link that gives you information on how to configure ASA to use the SSM module:

    http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/SSM.htm#wp1050744

    Hope that helps.

    Kind regards

    Maryse.

  • ASA 5520 with AIP - SSM

    Dear all,

    I'm in the process of implantation of the product above of title to one of the clients.

    I am very familiar with the configuration of the firewall, but the module AIP - SSM is than I do the first time.

    Please I need your help to do the configuration.

    Is it possible by using ASDM to configure, if yes please give me the steps and procedures to complete the work

    Thanks in advance

    Swamy

    Hi S,

    Very easy:

    Connect to the ASA, activate mode and then connect to the IPS via the command "session 1".

    You are then connected to the console of the IPS. Enter the user name "cisco" and the password "cisco" and run the Setup program for the basic config (address IP etc). After that, you can either connect directly on IP addresses via a web browser or through ASDM.

    Then I recommend you read the setup guide for IP addresses that it can be very intense (configuration/tweaking signatures etc.)

    I hope this helps!

    See you soon

    JC

  • Getting started: ASA5520 w / AIP - SSM

    I'm trying to deploy an ASA5520 to a customer. I have no problem with the piece of implementing firewall, but I don't know where to start with the piece of IPS.

    I searched a bit on the ASA55XX & AIP - SSM, but can't seem to find much on what to do with the AIP - SSM beyond the initial Setup.

    Can someone point me to some beginners IPS documentation that focuses on the AIP - SSM?

    Thank you

    Jeff

    In my view, there is a lack of documentation on how to get the IPS module to work with the ASA. It would be nice if there was a single document on how to get IPS working module with the ASA.

    Start with the documentation of the IPS. It's just on how to configure the IPS himself module. Assign an IP address for management, set the admin password, etc..

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids12/index.htm

    Then go to the documentation of the SAA on how to configure ASA to send traffic to IP addresses (via a service-policy):

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids11/cliguide/clissm.htm#wp1033926

    There is a free viewer of IPS Cisco event offering to monitor events on the IPS. It can be downloaded from the download page of the Cisco IPS software.

    Finally, read the whitepaper SAFE on the deployment of the IPS and the setting.

    http://www.Cisco.com/en/us/NetSol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801bc111.shtml

    I hope this helps. Remember messages useful rate. Thank you!

  • AIP-SSM-20 upgrade

    Try to upgrade an AIP-SSM-20.

    We have 2 ASA in a failover configuration, upgrade on the AIP-SSM-20 secondary has been a success.

    On the primary AIP-SSM-20, we get the following error when you try to upgrade via FTP from the same server that we have updated the secondary SSM module of:

    execUpgradeSoftware: permission denied

    The current version is 1,0000 E1, tyring 4,0000 E1 upgrade

    We tried when the module is active and when it's not... same error in both directions. Doesn't seem to be a user FTP error since we get a different when error deliberately hits the user or password.

    Our SSM user has administrator privileges (cisco default user) and we tried to restart the SSM... no luck

    Anyone has any idea on this?

    Thank you

    John Stemke

    I don't know if the error is generated by the sensor itself, or from the ftp server.

    To discover the try running a sniffer of packages on the ftp server or the 'package' command on the CLI for the command of the probe and control interface.

    Run the command to upgrade and see if a ftp connection is still attempted by the sensor.

    If no ftp connection is attempted, then the error would be to the sensor itself, and it would seem that the user doesn't have permissions admin (which doesn't seem to be your case by what you wrote).

    If the ftp connection is attempted, then the error is probably coming from the ftp server. Look at the packages that you have captured and see if an error is coming from the ftp server. The problem may be a permissions issue on the file on the ftp server. The ftp directory or the file itself may not have read permission for the file.

    You can also try a ftp from your own desktop to the same ftp server by using the same user and password used for the sensor and see if you can download it on your own desktop.

    As a work around to get your updated sensor to update and work on this authorization the problem is later to copy the upgrade on your desktop.

    Run IDM and use IDM to repel the upgrade of your desktop directly on the sensor.

Maybe you are looking for

  • How will I know if I am under the RC 1?

    I just downloaded what I thought was v 4 RC 1. I was already running Beta 4. However, the view button is not presented, and when I look for more information on what version I am running, it just says: 4.0. I tried to reinstall. When I installed both

  • I lost my small screens when I place the cursor on the name of the page in the bottom task bar

    I think it is called the taskbar. At the bottom of the screen. He always showed a small screen of my closed pages when I place my cursor on them, but for some reason any, he stopped to do this

  • Talk to the two devices at the same time.

    Hello I wonder that you could help me with my solution. I use GPIB to talk to two devices. I need to reset and align a device and control unit B. The process can take up to 2 minutes. Process B is to refresh of the ESA to the required temperature and

  • WSN-9791 Firmware

    I'm trying to update the firmware on my WSN-9791. I see the 9791 in Max and OR network browser. I use MAX version 4.7.7f0. The current version of the firmware 9791 is 1.0.1. I have the ni9791fwROM_LV861_LV2009 file. Once I click on the Firmware updat

  • What host and Service using TNSNAMES

    HelloI created a cluster 2 nodes (LAB4 LAB5) in 11 GR 2 grid Infrastructure, which currently holds my ASM Instance clusterI'm trying to determine which setting host and Service name I should use on a client to allow connect to ASM as a local connecti