The AIP SSM mode

Similar Questions

• Cannot access the AIP SSM via ASDM

  CISCO recommendations below:

  Cannot access the AIP SSM via ASDM

  Problem:

  This error message appears on the GUI.

  Error connecting to sensor. Error Loading Sensor error

  Solution:

  Make sure that the IPS SSM management interface is up/down and check his IP address configured, default gateway and the subnet mask. It is the interface to access the software from Cisco Adaptive Security Device Manager (ASDM) on the local computer. Try to ping the address of management of IPS SSM IP interface on the local computer that you want to access the ASDM. If it is impossible to do a ping check the ACLs on the sensor

  ----------------------------------------------------------------------------------------------------------------------------------------------

  I've tried everything recommended above. I can ping the host ASDM the FW and the SSM-10 module. Well, I ping the host machine and the SSM of the ASDM. I opened as wide as possible ACL. I changed the IP addresses and masks several times. The management of the ASA port and the SSM and the PC are on the same subnet.

  A trace of package from the PC to the SSM shows that it is blocked by an ACL rule, and yet I opened wide.   I've seen this kind of problem before and it was solved by applying the double static NAT, but I don't know how to do that if all the IP addresses are on the same subnet.

  Tried everything, need help from high level.

  The IDM software that comes with ASDM does not support java 1.7. The portion of the ASDM ASA supports 1.7 but launch the IPS cmdlet works only with 1.6. The TAC enginner suggested that I use the IME (IPS Manager Express) which is available for free on the Cisco's (http://www.cisco.com/en/US/products/ps9610/tsd_products_support_general_information.html) Web site.

  I've been playing with it today, and so far it seems to work pretty well.

• The AIP - SSM to unused ASA connection interface

  Hi people,

  Perhaps, someone has already raised this issue, but I was unable to find anything relevant. We have an ASA with an unused interface (gig0/3). The sensor of the AIP - SSM is physically connected to this interface with the following IP settings:

  Sensor (192.168.2.2/30,192.168.2.1)---interface ASA (192.168.2.1/30)

  It's basically point to point connectivity, and I can reach the ASA of the sensor and the other way around.

  This design is dictated by the lack of a free port on the switch.

  Technically, it should work without any problems, but I can't seem to be able to reach the sensor. There is a switch between my PC and the sensor and the switch has the corresponding static route added. I can reach the switch sensor.

  Is there a security feature hidden I don't know that prevent communication with the sensor.

  And ACL of the sensor allows the traffic to all networks (0.0.0.0/0)

  With the sensor acl set to 0.0.0.0/0, the sensor must be allowing connectivity.

  You can use the 'View of package' command on the sensor to look at packets on the interface command and control to see if the packets are what makes the sensor.

  You say that you have a static route on your switch for the switch reach your sensor. Do you know if your PC is configured to use the switch as the computer's default router. If the PC is to use a different default router, then the other router should also the static route.

  The other possibility is that the SAA itself can be deny traffic.

  Since this is an ASA connected to the MSS interface, the traffic must be routed through the ASA. Standard firewall rules apply to this traffic. The security level of the interfaces can prevent traffic, and an ACL may be necessary in order to allow the circulation of your PC be routed to the SSM.

  NOTE: If you don't want to have to worry about roads, the other alternative is to make the network between the ASA and SSM to be an isolated network that only 2 machines know.

  You can then use PAT static to map a port on the inside of the ASA interface with the address of the SSM 443 https port and map a second port of the SAA within the interfaces to the address of the SSM SSH port.

  How your home PC would simply plug the ASA IP using these specific ports and the ASA would do the translation of port and transmit on the MSS.

  The SSM address could also be dynamically PAT would have on the SAA within the address, so SSM could start the connection to other machines on the inside network.

  Another alternative if you have addresses available on your inside network IP is to use static NAT instead of PAT. And just go forward and has the ASA statically map an IP network on IP of the SSM on the network that only the ASA and the SSM inside could know.

  In both cases the network between the ASA and SSM would not routable at, and you wouldn't have to worry of reproducing static routes anywhere.

  SIDE NOTE: A separate network for the SSM you Becase you will also need to NAT or PAT address of the SSM for the ASA to outside interface. In this way the SSM will be able to connect to Internet to download cisco.com auto updates, and/or pull overall correlation of servers cisco information. It's probably the same configuration that you would already other internal addresses, and just to be sure, you cover the SSM since you have it on a separate subnet.

• Interface of the AIP - SSM

  What is the configuration of the AIP - SSM interface indicates?

  If this indicates that trafficking of this interface will be done, then what is the purpose to divert the traffic of asa good political order.

  Thanks, hope that I have answered your questions.

• To access the AIP-SSM-10 through the ACS

  Hye,

  Please, I would like to know if you can access the AIP-SSM-10 using a Cisco ACS account.

  Thank you

  IPS module does not support authentication to the ACS server.

  Please find the only authentication method for IPS in the following document:

  http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/IDM/idm_sensor_management.html

  Hope that answers your question.

• Reloading of the AIP - SSM

  reload the module AIP - SSM affect the ASA?

  Exactly. If you don't have a political card by using the SSM module, then you can reload the module SSM and it does not affect the traffic passing by ASA. To give you more information, here is a link that gives you information on how to configure ASA to use the SSM module:

  http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/SSM.htm#wp1050744

  Hope that helps.

  Kind regards

  Maryse.

• Question of the clock of the AIP - SSM

  We have configured our AIP - SSM and synchronized with our command NTP servers.show clock shows the time corrcet in the CLI

  See the sensor clock #.
  16:42:35 GMT + 05:30 Sunday, March 28, 2010

  probe # show clock detai
  16:53:25 GMT + 05:30 Sunday, March 28, 2010
  Time source is NTP

  But the time indicated in the last TAB update shows the hour UTC. Even in my case logs are updated with the time information UTC only. I set the time zone correctly.

  

  What do I need to configure something else to update my timestamp in the event log.

  In the second version of the IPS, a new column has been added for "time sensor" in the event viewer.

• Support for hardware and signature to the AIP SSM-10

  We have a 5510 which we bought a map AIP SSM-10 for the SAA, which is already the subject of a support contract. We now want to add the hardware maintenance for the new card AIP SSM-10 as signature updates. Our Cisco provider is confirmed we will receive that updates of signature with hardware support (we tried to get a response from them since June or July now).

  Could someone let us know what is the correct part number, and so we can ask the specific option that will allow both the material cover and signature updates.

  I think it is need you

  CON-SU1-AS1A1PK9

  IPS, NBD SVC, AR ASA5510-AIP10SP-K9

  support for Cisco smartnet

• Reset password for the AIP - SSM-10

  Hello

  I have an ASA5520 with 7.2 v 2 running.

  but the IPS module spftware is 5.1

  When I tried to connect to the > session 1

  He asked me a login and a password.

  I tried the cisco and a few other combinations... but no luck.

  How to reset it? also the procedure to reset on the docs said its password resets or the cisco of the user...

  How can I be sure that the cisco of the user still exists about it or not?

  any help please?

  The only way to get the software for your module is to download via the software centre of Cisco.com. You will need a Smartnet contract or account of the BCC to access downloads.

  You'll be able to reimage the module with the 6.0 software, but it is advisable to reimage it with the most basic image. You can always switch from there!

  Information on the site is in the following document:

  http://www.Cisco.com/en/us/products/HW/vpndevc/PS4077/products_configuration_guide_book09186a008055dbb1.html

  Hope this information helps, if it does; Please note!

  Kind regards

  Michael

• Failed to update of the signing of the AIP-SSM-10

  I hope someone can help me, I am unable to get the signature autoupdate working on our ASA 5510 IPS. We have a valid support contract, our user name does not include and special characters, and I am able to download the files of signature on the site by using our BCC.

  When trying to get through Auto/cisco.com update if I get the following in the event logs each attempt update:

  evError: eventId = 1319467413849005289 = severity = error Cisco vendor

  Author:

  hostId: xxxx

  appName: mainApp

  appInstanceId: 354

  time: October 26, 2011 11:40:01 UTC offset = 60 timeZone = GMT00:00

  errorMessage: AutoUpdate exception: failed to connect HTTP [1 111] name = errSystemError

  I've included a conf 'show' and a 'facilitator stat"below.

  See the XXXXXX conf #.

  ! ------------------------------

  ! Current configuration last modified Wed Oct 26 10:48:07 2011

  ! ------------------------------

  ! Version 7.0 (6)

  ! Host:

  !     Domain keys key1.0

  ! Definition of signature:

  !     Update of the signature S604.0 2011-10-20

  ! ------------------------------

  service interface

  output

  ! ------------------------------

  authentication service

  output

  ! ------------------------------

  rules0 rules for event-action service

  output

  ! ------------------------------

  service host

  the network settings

  Host-ip 10.x.x.x/24,10.x.x.x

  hostname xxxxxx

  Telnet-option turned off

  access-list 10.x.x.x/32

  access-list 10.x.x.x/16

  access-list 10.x.x.x/32

  primary-active DNS server

  address 10.x.x.x

  output

  secondary-server DNS disabled

  tertiary-disabled DNS server

  output

  time zone settings

  offset 0

  standard time-zone-name-GMT00:00

  output

  NTP-option enabled-ntp-no authenticated

  Server NTP 10.x.x.x

  output

  Summertime-recurring option

  Summertime-zone-name GMT00:00

  Start-summertime

  last week of the month

  output

  end-summertime

  month October

  last week of the month

  output

  end-summertime

  month October

  last week of the month

  output

  output

  automatic update

  Cisco-Server enabled

  scheduling periodic-calendar option

  beginning 00:40:00

  interval 1

  output

  username xxxxxxxxxxxxxxx

  Cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

  output

  output

  output

  ! ------------------------------

  service recorder

  output

  ! ------------------------------

  network access service

  output

  ! ------------------------------

  notification services

  output

  ! ------------------------------

  Service signature-definition sig0

  output

  ! ------------------------------

  Service ssh-known-hosts

  output

  ! ------------------------------

  trust-certificates of service

  output

  ! ------------------------------

  web-server service

  output

  ! ------------------------------

  Service-ad0 anomaly detection

  output

  ! ------------------------------

  service interface external product

  output

  ! ------------------------------

  health-monitor service

  output

  ! ------------------------------

  service global correlation

  output

  ! ------------------------------

  aaa service

  output

  ! ------------------------------

  service-analysis engine

  vs0 virtual sensor

  Physics-interface GigabitEthernet0/1

  output

  output

  XXXXXX # host stat

  General statistics

  Last updated to host Config (UTC) = 27 October 2011 08:27:10

  Control device control Port = GigabitEthernet0/0

  Network statistics

  = ge0_0 link encap HWaddr 00:12:D9:48:F7:44

  = inet addr:10.x.x.x Bcast:10.x.x.x.x mask: 255.255.255.0

  = RUNNING UP BROADCAST MULTICAST MTU:1500 metric: 1

  = Dropped packets: 470106 RX errors: 0:0 overruns: 0 frame: 0

  = Dropped packets: 139322 TX errors: 0:0 overruns: 0 carrier: 0

  = collisions: 0 txqueuelen:1000

  = RX bytes: 40821181 (38.9 MiB) TX bytes: 102615325 (97.8 MiB)

  = Address: 0xbc00 memory: f8200000 of base-f8220000

  NTP statistics

  = distance refid st t when poll reach delay offset jitter

  = * time.xxxx.x 195.x.x.x 3 u 142 1024 377 1, 825 - 0.626 0.305

  = L LOCAL (0) LOCAL (0) 15 59 64 377 0.000 0.000 0.001

  = ind assID status conf scope auth condition last_event cnt

  = 1 43092 b644 Yes Yes No sys.peer 4 available

  = 2 43093 9044 Yes Yes No accessible release 4

  status = synchronized

  Memory usage

  usedBytes = 664383488

  freeBytes = 368111616

  totalBytes = 1032495104

  Statistics of Summertime

  Start = GMT00:00 03:00 Sunday, March 27, 2011

  end = GMT00:00 01:00 Sunday October 30, 2011

  Statistics of the processor

  Its use in the last 5 seconds = 51

  Its use during the last minute = 44

  Its use in the last 5 minutes = 50

  Memory statistics

  Use of memory (bytes) = 664383488

  Free MEMORY (bytes) = 368111616

  Auto Update Statistics

  lastDirectoryReadAttempt = 08:40 GMT00:00 Thursday, October 27, 2011

  = Reading directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

  = Error: Auto update an exception: failed to connect HTTP [1 111]

  lastDownloadAttempt = n/a

  lastInstallAttempt = n/a

  nextAttempt = GMT00:00 09:28 Thursday, October 27, 2011

  Auxiliary processors installed

  Thank you very much.

  Your error message indicates "HTTP connection failed."

  Management interface you can access the internet via HTTP sensor?

  You have a proxy between the sensor and the internet?

  Can you ping the sensor to open internet IP addresses (like google.com)?

  -Bob

• How to tune the signatures of the AIP-SSM-20

  Hi all

  When I connect my ASA IPS module, I see a lot of signatures with risk of HEIGHT, but they are not activated (ENABLED). I dould so it is recommended to activate all these signatures risk of UPWARD in the IPS. I think that if these signatures risk rating of the TOP, then they should all be activate to combat the threat to security. It will cause performance degradation if all are activate? or it crashes a part of legitimate traffic if all are enabled to combat the thrreat?

  I'll be very grateful for your help.

  Kind regards.

  No, it's definitely not recommended to enable all the signatures on IP addresses. It will certainly be performance degradation because it is not intended to be all activated.

  The team of Cisco IPS préactivés current signatures and twist the signatures on each update of the signature, if it is considered at high risk for security. Those who have been turned off are likely to be old signatures that are more current, at this stage unless you don't not patch your hosts to end. IPS will monitor and/or block threats however, it is always the responsibility of the administrator of the host to patch hosts. IPS will only prevent and guide you to patch the end hosts.

• transparent mode with AIP-SSM-20

  I currently have an ASA5510 routed with AIP-SSM-20 mode.

  It is necessary to use a connection in optical fiber between the ASA and ASA on the campus, so the AIP - SSM will need to be removed and replaced by the SSM - 4GE.  This section should present no problems.

  However, this will remove the IPS device, and I always want to use IPS.

  So what I think is to get another ASA5510, install the AIP - SSM, configure ASA for transparent and put it between the inside of the ASA routed and my local network.  The ASA transparent would be strictly works in the form of an IPS appliance.

  The installation program should look like this:

  Internal LAN <> ASA transparent with IPS <> routed ASA <> WAN

  The AIP - SSM can always perform with the ASA in transparent mode IPS?

  Is it possible to configure the ASA and AIP - SSM such as traffic to and from a particular server completely ignores the AIP - SSM?

  I have a couple of file servers which generate heavy traffic and can overload the AIP - SSM.

  Kind regards.

  AFAIR, it is no installation AIP in a transparent firewall problem.

  "The SAA in transparent mode can execute an agreement in principle.  In the event that the AIP fails,

  the IPS will fail-open and the ASA will continue to pass traffic.
  
  However, if an interface or cable fails, then traffic will stop.  You
  
  would need a failover pair to account for this failure event, which
  
  means another ASA and matching AIP."
  
  

  And no there is no problem to exclude certain hosts/ports/subnets inspection by IPS via MPF.

  http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/IPS.html#wp1050744

  What I consider however is however if the ASA 5510 as second level firewall for 5520 s will be enough.

  http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html

  HTH,

  Marcin

• ASA5510 and AIP-SSM-10 module in promiscuous mode

  Hello

  I have a 5510 ASA with the AIP-SSM-10 and want to use just like an ID in promicuous mode.

  ASA 5510: ASA version 7.0 (8)

  AIP-SSM-10: IPS version 5,0000 E2

  At this point, we would like to configure a single interface of ASA to send traffic to the agreement in principle for the inspection of IDS (and continue to use our firewalls third existing). Is this possible?

  The following discussion gives to think this isn't:

  https://supportforums.Cisco.com/message/957351

  22.1.100.2/28 I have it configured on the interface Eth0/0 (outside) and 10.5.100.3/24 on the AIP - SSM management interface and switchports (Cisco 6509) have been configured by SPAN.

  Thanks for your advice in advance.

  Kind regards

  Lay

  You are right. Unfortunately, module AIP on ASA firewall does not listen on traffic SPAN. If you want that SPAN ports, then you can use the IPS (IPS 4200 series appliance) appliance that supports the SPAN traffic to inspect.

  PIX is also a firewall, not a feature of IPS, which cannot be used as an IPS device.

• AIP - SSM maintenance of Configuration in Active mode Stdby

  So, I'm pretty new to the AIP - SSM but not for the ASA. It seems that very few of the AIP module configuration gets copied to the AIP Stdby, nothing else that what appears in the config of the ASA (ACL, etc.). Thus, all elements of specific configuration for the module itself must be manually reproduced on Stdby module, either entered hand or config copies moved between the two?

  Planned in the future.

• AIP - SSM recreate the image in secondary ASA 5500 (failover) with virtual contexts

  Hello guys,.

  The scenario is as follows:

  2 ASA 5500 with virtual contexts for failover.

  The ASA elementary school has the work of the AIP-SSM20.

  ASA school (which is in active / standby) has its SSM20 AIP to work now and everything is in production.

  Someone tried to configure this 2nd AIP - SSM, changed the password and lost, so I tried to re - the image (without authorized passage recovery), but the connection fails on the TFTP server, where is the image of the AIP - SSM.

  Now questions, documentation Cisco re-imaging view orders under ASA #.

  but as this scenario has several virtual contexts the ASA # shell contains no IP address as you know (which I suppose is the reason why the ASA cannot download the image from the TFTP server) and switch to another context (ASA / admin #) re-imaging commands do not work (hw-module module 1... etc...).

  What is the solution? Is there documentation for it (with security contexts)?

  Thank you very much for reading ;) comment on possible solutions.

  Yes,

  Some things to keep in mind.

  (1) run 'debug module start' on the SAA before running the command "hw-module module 1 recover boot. This will show you the ROMMON of the MSS output as it tries to make the new image and you can look for any errors.

  (2) before trying to download from the SSM, first use a machine separate download tftp from your laptop. This will ensure the TFTP on your laptop works and confirm what directory (if any) that you can use as the file location.

  (3) if the tftp download does not SSM, then the SSM is unable to properly connect to your laptop. You need a crossover cable to connect your laptop to the SSM. If you have a crossover cable, then you could try to connect the MSS and your laptop to a small hub, or configure a new vlan on your switch with only 2 ports and connect the MSS and your computer laptop this vlan 2 port.

  (4) also try the download first at the end of the gateway to 0.0.0.0 since your laptop and the SSM will be on the same subnet. If this does not work then you can try a non-existent 30.0.0.4 address as gateway.

  (5) understand that the IP address that you specify for the MSS using the command "configure the hw-module module 1 recover" is just temporary for download. Once an image is installed, then sitting at the module and run the "setup" command in order to configure the permanent address you want ure on external port of the SSM. This address in the "setup" command can the same as that used in the command 'get the 1 hw-module module configure' or a completely new (as in your case). Just make sure that you connect to the network just to what address you give.