Updated AIP-SSM-10 on ASA 5510
Hello
I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this.
- What is the version of the software on the question of the ASA?
- When I look in the software downloads< ips="" there="" are="" .pkg="" and="" .img="" files.="" i="" want="" to="" upgrade="" to="" 6.3(3)e4.="" do="" i="" have="" to="" re-image="" the="" ips="">
- AFAIK redefinition to wipe the device so I just reload the config after, right?
- I guess I can apply any update after going to E4?
- Can you give me links for this upgrade?
see you soon
Let me give some clarification on a few points:
2. There is no need to recreate the image on the device using the .img file. You can improve the mechanism of maintenance of your existing configuration using the .pkg file. It is the recommended method for upgrading to Cisco IPS devices/modules. The .img file to recreate the image should only be used to restore the default device.
5 here are links for the upgrade of the probe using a .pkg file. For updates through the IDM user interface:
For upgrades via the CLI:
Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3):
6.2 (3) E4
7.0 (4) E4
You can go directly to each output.
Scott
Tags: Cisco Security
Similar Questions
-
Automatic update AIP-SSM-10 and ASA 5510 (Beginner)
I see that it is possible to automate the updates of the ASA 5510 and AIP SSM via FTP on my own server. Is it possible to automate the download directly from Cisco.com?
Thank you!
Jeremy
Jeremy, the answer to your question is correct, as far as the Cisco products are concerned. So I wrote a PERL app that does exactly that, and I published an article about it in the June 2007 issue of Sys Admin magazine. Here's the article online: http://www.samag.com/documents/s=10128/sam0706a/0706a.htm
And it is also on my site, with a tar of scripts to:
http://www.LHB-consulting.com/pages/apps/index.html
Good luck.
-Lisa
-
The AIP - SSM to unused ASA connection interface
Hi people,
Perhaps, someone has already raised this issue, but I was unable to find anything relevant. We have an ASA with an unused interface (gig0/3). The sensor of the AIP - SSM is physically connected to this interface with the following IP settings:
Sensor (192.168.2.2/30,192.168.2.1)---interface ASA (192.168.2.1/30)
It's basically point to point connectivity, and I can reach the ASA of the sensor and the other way around.
This design is dictated by the lack of a free port on the switch.
Technically, it should work without any problems, but I can't seem to be able to reach the sensor. There is a switch between my PC and the sensor and the switch has the corresponding static route added. I can reach the switch sensor.
Is there a security feature hidden I don't know that prevent communication with the sensor.
And ACL of the sensor allows the traffic to all networks (0.0.0.0/0)
With the sensor acl set to 0.0.0.0/0, the sensor must be allowing connectivity.
You can use the 'View of package' command on the sensor to look at packets on the interface command and control to see if the packets are what makes the sensor.
You say that you have a static route on your switch for the switch reach your sensor. Do you know if your PC is configured to use the switch as the computer's default router. If the PC is to use a different default router, then the other router should also the static route.
The other possibility is that the SAA itself can be deny traffic.
Since this is an ASA connected to the MSS interface, the traffic must be routed through the ASA. Standard firewall rules apply to this traffic. The security level of the interfaces can prevent traffic, and an ACL may be necessary in order to allow the circulation of your PC be routed to the SSM.
NOTE: If you don't want to have to worry about roads, the other alternative is to make the network between the ASA and SSM to be an isolated network that only 2 machines know.
You can then use PAT static to map a port on the inside of the ASA interface with the address of the SSM 443 https port and map a second port of the SAA within the interfaces to the address of the SSM SSH port.
How your home PC would simply plug the ASA IP using these specific ports and the ASA would do the translation of port and transmit on the MSS.
The SSM address could also be dynamically PAT would have on the SAA within the address, so SSM could start the connection to other machines on the inside network.
Another alternative if you have addresses available on your inside network IP is to use static NAT instead of PAT. And just go forward and has the ASA statically map an IP network on IP of the SSM on the network that only the ASA and the SSM inside could know.
In both cases the network between the ASA and SSM would not routable at, and you wouldn't have to worry of reproducing static routes anywhere.
SIDE NOTE: A separate network for the SSM you Becase you will also need to NAT or PAT address of the SSM for the ASA to outside interface. In this way the SSM will be able to connect to Internet to download cisco.com auto updates, and/or pull overall correlation of servers cisco information. It's probably the same configuration that you would already other internal addresses, and just to be sure, you cover the SSM since you have it on a separate subnet.
-
AIP - SSM upgrade for ASA active / active
Hello world!
I need help on improving the aip - ssm modules to E4 on two s asa who are active/active state. I'll be able to do this without downtime? What are the considerations?
AIPs are independent of the resumption of the SAA, however, the SAA can consider the status of the AIP in passage of failover, which means it can failover
If it detects a module AIP descending on the active device.
The best method for upgrading in this situation will be the status of active failover Setup for all groups on the SAA primary, then upgrade the AIP of the ASA high school.
Once the agreement in principle of the school is completely updated and functional, then set all groups to be active with the ASA failover secondary.
Then the primary AIP.
Once the primary AIP is completely level and working, you can then restore the status of the ASAs failover, by setting the active failover for the Group on the ASAs specific you want them to be active on...
Kind regards
-
reload the module AIP - SSM affect the ASA?
Exactly. If you don't have a political card by using the SSM module, then you can reload the module SSM and it does not affect the traffic passing by ASA. To give you more information, here is a link that gives you information on how to configure ASA to use the SSM module:
Hope that helps.
Kind regards
Maryse.
-
I just put in place a module AIP SSM in an ASA 5520 with a unique security context.
Do I need to configure virtual devices in this case? or I can use the VS0 default? In the documentation of the IPS, he says "You can't change the definition of signature, rules of action event or anomaly detection policies." for the default virtual sensor (VS0), which is the only virtual sensore I.
Can someone clarify what this means? It somehow restrict the usefulness of the IPS if I do not set up a separate VS?
Thank you very much.
A single sensor vs0 virual is very good, especially when only a single surveillance security context.
The statement do not change the definition of signature, event actions or policies of anomaly detection rules can be a little misleading.
What he's trying to say, is that you cannot create ad1, regles1, and any new polcies sig1 and try to apply them to vs0. The vs0 default must use sig0, rules0 and ad0.
If you have created a new vs1, then you can apply the new policies like sig1 and regles1 ad1 to this new vs1.
This does NOT mean that you cannot make changes to config in sig0, rules0 and ad0.
So feel free to make configuration changes to sig0, rules0 and ad0 to fine-tune how your vs0 should handle the traffic.
It's just the names of politicians who cannot be changed when you use vs0.
-
Do I need two AIP - SSM modules if I'm failover configuration?
Is it possible to use a single module AIP - SSM in two ASA that is configured in active / standby?
I would like to configure the module in the first ASA with the relief setting. Then, if the ASA first fails, I could physically remove the module AIP - SSM and place it in the second ASA.
Would there be problems, configure it in this way?
Would be the active / standby ASA complaining that there is that one module AIP - SSM?
Thanks in advance.
Hello
You must have an AIP - SSM on two SAA in order to be able to run the failover, without it failover will not come to the top (because of incompatibility of hardware)
Kind regards
Julio
-
Cisco ASA 5510 + license + AIP - SSM
Hello.
I have this box.
I have a few questions about it.
(1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?
(2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?
(3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?
(4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?
Please help me.
(1) you must Smartnet in order to download the software from the download from cisco.com site.
(2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.
(3) Yes, the basic license is OK for the AIP module.
(4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.
Hope that answers your questions.
-
I'm new to network administration and our company has an ASA 5510 with and map AIP SSM-10. On the interface ASA when I try to load Intrusion detection, he said the following:
"For IPS 5.1 (1) S205.0, use the link below to access the IPS Device Manager." (If the SSM management IP address or the port is translated, replace them accordingly in the below URL). IPS 6.0.1 or above will be fully interated ASDM. »
Unfortunately, no URL is displayed below this message and there is no documentation in the company that owns this configuration. Is there a way to reset the AIP without resetting the ASA? How can I find the IP address to be able to configure it?
The ASA CLI, you will be able to check the IP address of the AIP module:
view the details of the module
It will show you the ip address of mgmt of the module, and you can https to the IP address of your PC.
-
do not get traffic of ASA AIP-SSM-20.
Hello
We have Cisco ASA 5510, and we recently added Cisco AIP - SSM. We have configured the sensor and did as well as ASA also but we don't get newspapers in ADM please help me on this.
Please find attached Sersor Configuration and version of the IPS and ASA module.
Kind regards
Nathalie. M
On the SAA, you need
access-list aip-acl extended deny ip any any
class-map aip-class
match access-list aip-acl
policy-map global_policy
class aip-class
ips inline fail-open
service-policy global_policy globalso that it sends traffic to the agreement in principle for inspection.
I hope it helps.
PK
-
Hello
I have a client who has the run of the ASA 2 that each filled with AIP - SSM. The IPS has 6.1 (1) E3 software and I would like to upgrade to the latest.
I'm looking through the sections to download and read the minimum requirements of 7.0 (7) E4 but cannot find the file to download to AIP - SSM.
NOTE: The IPS-AIM-K9-7.0-7-E4.pkg upgrade file can only be used to upgrade AIM-IPS sensors. The IPS-NME-K9-7.0-7-E4.pkg upgrade file can only be used to upgrade NME-IPS sensors. For all other supported sensors, use the IPS-K9-7.0-7-E4.pkg upgrade file.
Each updated image that I look for E4 has only IPS-K9-version and the description says all supported except AIM - IPS and NME - IPS platforms. Can someone help me to find the right image for upgrade?
This is where I am currently looking:
Intrusion Prevention System (IPS) system upgrades - 7.0 (2) E4
Hello
Please use your AIP - SSM IPS - K9 - 7, 0-7 - E4.pkg. This version is supported on all IPS platforms except two modules for the cisco ISR routers: AIM - IPS and NME - IPS.
Thank you
Alla
-
Failed to update of the signing of the AIP-SSM-10
I hope someone can help me, I am unable to get the signature autoupdate working on our ASA 5510 IPS. We have a valid support contract, our user name does not include and special characters, and I am able to download the files of signature on the site by using our BCC.
When trying to get through Auto/cisco.com update if I get the following in the event logs each attempt update:
evError: eventId = 1319467413849005289 = severity = error Cisco vendor
Author:
hostId: xxxx
appName: mainApp
appInstanceId: 354
time: October 26, 2011 11:40:01 UTC offset = 60 timeZone = GMT00:00
errorMessage: AutoUpdate exception: failed to connect HTTP [1 111] name = errSystemError
I've included a conf 'show' and a 'facilitator stat"below.
See the XXXXXX conf #.
! ------------------------------
! Current configuration last modified Wed Oct 26 10:48:07 2011
! ------------------------------
! Version 7.0 (6)
! Host:
! Domain keys key1.0
! Definition of signature:
! Update of the signature S604.0 2011-10-20
! ------------------------------
service interface
output
! ------------------------------
authentication service
output
! ------------------------------
rules0 rules for event-action service
output
! ------------------------------
service host
the network settings
Host-ip 10.x.x.x/24,10.x.x.x
hostname xxxxxx
Telnet-option turned off
access-list 10.x.x.x/32
access-list 10.x.x.x/16
access-list 10.x.x.x/32
primary-active DNS server
address 10.x.x.x
output
secondary-server DNS disabled
tertiary-disabled DNS server
output
time zone settings
offset 0
standard time-zone-name-GMT00:00
output
NTP-option enabled-ntp-no authenticated
Server NTP 10.x.x.x
output
Summertime-recurring option
Summertime-zone-name GMT00:00
Start-summertime
last week of the month
output
end-summertime
month October
last week of the month
output
end-summertime
month October
last week of the month
output
output
automatic update
Cisco-Server enabled
scheduling periodic-calendar option
beginning 00:40:00
interval 1
output
username xxxxxxxxxxxxxxx
Cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
output
output
output
! ------------------------------
service recorder
output
! ------------------------------
network access service
output
! ------------------------------
notification services
output
! ------------------------------
Service signature-definition sig0
output
! ------------------------------
Service ssh-known-hosts
output
! ------------------------------
trust-certificates of service
output
! ------------------------------
web-server service
output
! ------------------------------
Service-ad0 anomaly detection
output
! ------------------------------
service interface external product
output
! ------------------------------
health-monitor service
output
! ------------------------------
service global correlation
output
! ------------------------------
aaa service
output
! ------------------------------
service-analysis engine
vs0 virtual sensor
Physics-interface GigabitEthernet0/1
output
output
XXXXXX # host stat
General statistics
Last updated to host Config (UTC) = 27 October 2011 08:27:10
Control device control Port = GigabitEthernet0/0
Network statistics
= ge0_0 link encap HWaddr 00:12:D9:48:F7:44
= inet addr:10.x.x.x Bcast:10.x.x.x.x mask: 255.255.255.0
= RUNNING UP BROADCAST MULTICAST MTU:1500 metric: 1
= Dropped packets: 470106 RX errors: 0:0 overruns: 0 frame: 0
= Dropped packets: 139322 TX errors: 0:0 overruns: 0 carrier: 0
= collisions: 0 txqueuelen:1000
= RX bytes: 40821181 (38.9 MiB) TX bytes: 102615325 (97.8 MiB)
= Address: 0xbc00 memory: f8200000 of base-f8220000
NTP statistics
= distance refid st t when poll reach delay offset jitter
= * time.xxxx.x 195.x.x.x 3 u 142 1024 377 1, 825 - 0.626 0.305
= L LOCAL (0) LOCAL (0) 15 59 64 377 0.000 0.000 0.001
= ind assID status conf scope auth condition last_event cnt
= 1 43092 b644 Yes Yes No sys.peer 4 available
= 2 43093 9044 Yes Yes No accessible release 4
status = synchronized
Memory usage
usedBytes = 664383488
freeBytes = 368111616
totalBytes = 1032495104
Statistics of Summertime
Start = GMT00:00 03:00 Sunday, March 27, 2011
end = GMT00:00 01:00 Sunday October 30, 2011
Statistics of the processor
Its use in the last 5 seconds = 51
Its use during the last minute = 44
Its use in the last 5 minutes = 50
Memory statistics
Use of memory (bytes) = 664383488
Free MEMORY (bytes) = 368111616
Auto Update Statistics
lastDirectoryReadAttempt = 08:40 GMT00:00 Thursday, October 27, 2011
= Reading directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
= Error: Auto update an exception: failed to connect HTTP [1 111]
lastDownloadAttempt = n/a
lastInstallAttempt = n/a
nextAttempt = GMT00:00 09:28 Thursday, October 27, 2011
Auxiliary processors installed
Thank you very much.
Your error message indicates "HTTP connection failed."
Management interface you can access the internet via HTTP sensor?
You have a proxy between the sensor and the internet?
Can you ping the sensor to open internet IP addresses (like google.com)?
-Bob
-
(ASA) AIP - SSM 10 Inline; Supreme events?
A 5520 ASA with SSM-10 GOAL is set to inline mode, but the events of the show for 2 hours (sensor > HS event past 02:00) of the Interior of the sensor shows and "promicuous mode", "left promicuous mode'."
This AIP SSM - 10 has only one gig0/0 and gig0/1 where o/o is taken out of service and a value default virtual sensor (vs0) is assigned to gig0/1. I see the statistics (sensor > sh SEO-engine of analysis) to gig0/1 so I collect statistics.
If the configuration of the ASA 5520 has the following policy of inline and events log shows that enter and exit in promiscuous mode so how do I check if I am inspection/recovery in inline mode?
(ASA > sh run access-list IPS)
IPS list extended access permitted ip DMZ 255.255.255.0 26.26.1.0 255.255.255.0
(ASA > sh run | b class-map)
class-map IPS
corresponds to the IP access list
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the waas
inspect the icmp
class IPS
IPS inline help
!
global service-policy global_policy
(sensor > sh interfaces)
...
Statistics interface GigabitEthernet0/1 MAC
Function of interface = interface detection
Description =
Support type = backplane
By default Vlan = 0
Inline = unpaired mode
Pair of status = n/a
Circumvention of Capable hardware = no.
Twin derivation material = n/a
Link status = upwards
Link speed = Auto_1000
Link Duplex = Auto_Full
Lack of Packet percentage = 0
Total packets received = 95044
Total number of bytes received = 8715230
Total multicast packets received = 0
Total of broadcast packets received = 0
Total fat packets received = 0
Total sousdimensionnés packets received = 0
Receive the total errors = 0
Receive FIFO overruns total = 0
Total packets transmitted = 95044
Total number of bytes sent = 9047702
Total multicast packets sent = 0
Total broadcast packets sent = 0
Total fat transmitted packets = 0
Total packets transmitted sousdimensionnés = 0
Total transmit errors = 0
Total transmit FIFO overruns = 0
sensor > sh events last 02:00
evStatus: eventId = 1203360411830836145 = Cisco vendor
Author:
login host: ASA2_IPS
appName: kernel
appInstanceId:
time: 2008-02-20 19:01:46 2008/02/20 19:01:46 UTC
syslogMessage:
Description: device ge0_1 entered promiscuous mode
evStatus: eventId = 1203360411830836146 = Cisco vendor
Author:
login host: ASA2_IPS
appName: kernel
appInstanceId:
time: 2008-02-20 19:01:53 2008/02/20 19:01:53 UTC
syslogMessage:
Description: the promiscuous mode device ge0_1 left
The left State events and entered promiscuous mode are usually generated when you do a 'package of display' or 'the capture of packets' command on the CLI of the sensor.
Track order of the package is promiscuity but is independent of promiscuity or inline followed by analysis of the probe engine.
If you have inline monitoring using the probe analysis engine.
And still make command package to the cli for your own monitoring promiscuity of those same packets. Here are 2 independent monitors of the same packages.
If I remember right inline monitored packets always get returned to the ASA (unless expressly denied), which is not promiscuous packets. So check sensors gig0/1 interface statistics and the number of packets for transmission. If receive and transmit accounts are quite close, then packets are monitored by the analytical engine InLine. If the number of transmission is nil or very low then the packets are likely promiscuous monitored.
With the configuration of your ASA you are correctly configured for online tracking.
So I don't think that you are investigating inline, and status messages are specific to your start and stop of the command 'package' on the CLI for your own independent viewing packages promiscuity.
-
AIP - SSM recreate the image in secondary ASA 5500 (failover) with virtual contexts
Hello guys,.
The scenario is as follows:
2 ASA 5500 with virtual contexts for failover.
The ASA elementary school has the work of the AIP-SSM20.
ASA school (which is in active / standby) has its SSM20 AIP to work now and everything is in production.
Someone tried to configure this 2nd AIP - SSM, changed the password and lost, so I tried to re - the image (without authorized passage recovery), but the connection fails on the TFTP server, where is the image of the AIP - SSM.
Now questions, documentation Cisco re-imaging view orders under ASA #.
but as this scenario has several virtual contexts the ASA # shell contains no IP address as you know (which I suppose is the reason why the ASA cannot download the image from the TFTP server) and switch to another context (ASA / admin #) re-imaging commands do not work (hw-module module 1... etc...).
What is the solution? Is there documentation for it (with security contexts)?
Thank you very much for reading ;) comment on possible solutions.
Yes,
Some things to keep in mind.
(1) run 'debug module start' on the SAA before running the command "hw-module module 1 recover boot. This will show you the ROMMON of the MSS output as it tries to make the new image and you can look for any errors.
(2) before trying to download from the SSM, first use a machine separate download tftp from your laptop. This will ensure the TFTP on your laptop works and confirm what directory (if any) that you can use as the file location.
(3) if the tftp download does not SSM, then the SSM is unable to properly connect to your laptop. You need a crossover cable to connect your laptop to the SSM. If you have a crossover cable, then you could try to connect the MSS and your laptop to a small hub, or configure a new vlan on your switch with only 2 ports and connect the MSS and your computer laptop this vlan 2 port.
(4) also try the download first at the end of the gateway to 0.0.0.0 since your laptop and the SSM will be on the same subnet. If this does not work then you can try a non-existent 30.0.0.4 address as gateway.
(5) understand that the IP address that you specify for the MSS using the command "configure the hw-module module 1 recover" is just temporary for download. Once an image is installed, then sitting at the module and run the "setup" command in order to configure the permanent address you want ure on external port of the SSM. This address in the "setup" command can the same as that used in the command 'get the 1 hw-module module configure' or a completely new (as in your case). Just make sure that you connect to the network just to what address you give.
-
The ACE IPS Cisco and Cisco ASA AIP - SSM (IPS)
Is there a difference between the features offered by the Cisco ACE IPS and Cisco ASA AIP - SSM (IPS) devices?
Can we do without Cisco ASA AIP - SSM (IPS) of 'only' configuration/implementation Cisco ACE IPS.
Cisco AVS/ACE emphasis on commissioning and to secure web-based applications. IP addresses do not focus on just the web applications and trying to get the multiple layers of the OSI stack. Consider the IPS as a general practitioner and the ACE/AVS as an eye surgeon, or something :)
Here is the response from Cisco itself:
Q: how is Cisco AVS Firewall application differs from an intrusion prevention system (IPS)?
A. IPSs are solid solutions of protection against targeted attacks of known vulnerabilities in major platforms such as Windows, Solaris, Apache or Microsoft Internet Information Services (IIS). Cisco AVS excels to protect against targeted attacks Web sites or enterprise applications. These applications can be built custom internal applications or software vendor. Signatures and security patches are generally not available for these types of applications, and building these security levels in each application, it would be almost impossible.
Q: how is Cisco AVS Firewall application differs by a network firewall?
A. The Cisco AVS 3120 and Firewall network such as the Firewall of Cisco PIX® and Cisco ASA 5500 Series Adaptive Security appliances are complementary products. The application Cisco AVS Firewall secures Web applications; excellent network in the network security firewall. and the Cisco AVS provides defense in depth for Web applications.
Firewall network apply policy networks, IP addresses and ports; they have a wide range of application for many different protocols layer features. The firewall can and will be deployed in many locations, including the edge, edge of the enterprise network, branch, etc. Cisco AVS imposed the policy on data HTTP as URL, headers and parameters. Cisco AVS is deployed in the data center in front of Web applications
Concerning
Farrukh
Maybe you are looking for
-
Hello again friends. I am trying to create a section inside my plane of power to a different voltage. I thought I was on a pretty good track, but I'm not quite there happen. First, I created a Dungeon area in the plane which has VCC entrusted to hi
-
Acquisition of data mx error must add on
I have a pc that has been refreshed. They have installed LabView 7.1, 8.0, 8.2 and 8.2.1 back on the new pc. After updating the drivers for a new USB-6525 assistant DAQ and the DAQ mx are gone and any VI that I used before that had them no longer wor
-
Simple question: how to invoke the command open in the control to the path to the file? My reason is my user has not provided a file, then I want to force the user to select a.
-
Pavilion a6350z: driver printer deskjet 4260
Update software from Vista to Windows 7, but can't find a printer driver for my Deskjet D4260. HP does not list one. Any help out there?
-
Impossible to update to lollipop 5 compact z3
I tried repair on companion pc tool, etc. Do not know what other details to post here... The current firmware version is 4.4.4 Kitkat, pc companion and the phone itself goes on to say that it is up-to-date, mobile sony said it was currently on lollip