AIP-SSM configuration assistance

Similar Messages

• AIP-SSM configured with event action "produce alert", but it drop packets

  Hi, I configured an AIP-SSM IPS on event action for "Produce Alert", but when fire a signature, it drop the packets. So, what will be the problem?

  Try these links:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/clievact.htm#wp1034058
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

• AIP-SSM Configuration Maintenance in Active Stdby modes

  So, I'm pretty new to the AIP-SSM but not to ASA's. It appears that very little of the AIP module config gets copied over to the Stdby AIP, nothing other than what appears in the ASA config (ACL's, etc.). So, do all the config elements particular to the module itself have to be manually reproduced on the Stdby module, either by hand entry or config copies moved between the two?

  So in Active/Standby scenarios with AIP-SSM, what is the reasoning for not having a feature for automatically copying over module config changes as with the ASA config?
  If there is no good reason, is it on the AIP-SSM road map to provide this feature?
  This can be a real pain in the arse for complex IPS configs. You have to do everything twice, and right away, so you won't miss anything should the ASA'a flip.

• AIP-SSM configuration / blocking SMTP

  Hi all,
  I need some help regarding a deployment of a IPS module on a ASA. I configured it in transparent mode, with the intention to only monitor the traffic going through the module. Otherwise after aplying the policy and put it in operation, it started blocking SMTP and ICMP traffic. Here follows the configuration applied to it:
  class-map outside-class
  match any
  policy-map outside-policy
  class outside-class
  ips promiscuous fail-open
  service-policy outside-policy interface outside
  Is there anything else I should consider to put this module just monitoring the traffic instead of having it denying any traffic?
  Thanks in Advance

  You may need to create an access-list permitting all traffic, and then apply the access-list to both interfaces in both directions (in and out).
  This will ensure connections can go from the lower security zone to the higher as well as from the higher security zone to the lower.
  You may also need to add icmp permit lines to permit icmp traffic through each interface.

• Transparent mode with AIP-SSM-20

  I currently have an ASA5510 in routed mode with an AIP-SSM-20.
  There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
  However, this will remove the IPS device, and I still want to use IPS.
  So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
  Setup would look something like this:
  Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
  Can the AIP-SSM still perform IPS with the ASA in transparent mode?
  Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
  I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
  Regards.

  AFAIR, There is no problem to setup AIP in a transparent firewall.
  "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
  What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Marcin

• Do I need two AIP-SSM modules if I am configuring failover?

  Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?
  I would like to configure the module in the first ASA with the fail-open setting.  Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.
  Would there be any problems configuring it this way?
  Would the active/standby ASA's complain that there is only one AIP-SSM module?
  Thanks in advance.

  Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.
  Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
  Your kind answer will be greatly appreciated.
  Best regards...

• Configuring SNMP Trap receiver on AIP-SSM sensor

  I receive the following error message from my ASA5520 firewall when attempting to forward SNMP traps from my AIP-SSM20 sensor to a server on my Inside interface that is configured to receive SNMP traps:
  ASA-4-418001: Through-the-device packet to/from management-only network is denied: udp src management: 10.3.21.2/32768 dst Inside: PPC0ES/162
  Can I reconfigure the management IP address of the AIP-SSM sensor to connect to the Inside interface instead of the management vlan or does my SNMP server have to reside on the management vlan with the sensor?

  Hi Subodh,
  Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
  If you have any other specific questions, feel free to post back.
  Hope that helps.
  -Mike

• Configuring AIP-SSM modelue

  hi,
  we have AIP-SSM-40 modeule installed on ASA 5540 but it is just physically present.
  Is it possible to configure to this modeule in inline or like IDS mode? It has only one Ethernet interface. Can this interface be treated as sensor interface and mark a copy of all incoming frames on this interface ( by SPA on switches ).
  Please share the experience.
  Thanks in advance.
  Subodh

  Hi Subodh,
  Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
  If you have any other specific questions, feel free to post back.
  Hope that helps.
  -Mike

• Configuring AIP SSM to monitor only

  Hi all,
  We purchased an AIP-SSM-20 for our ASA5520. Is there a way to enable IPS functionality, but not block anything, i.e. just log events? This is just to see if any legitimate company traffic will be blocked.
  Thanks!
  Jacques

  Configure the ASA to send traffic to the IPS in promiscuous mode using the following command in a policy-map:
  hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close |
  fail-open} [sensor {sensor_name | mapped_name}]
  http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
  Geroge

• AIP-SSM-10 sensor upgrade

  I have two ASA5520's with ASA-SSM-10 modules which are running Cisco Intrusion Prevention System, Version 6.0(6)E4. These are located at two different sites (one is local and the other remote from where I am based) and so are not running failover.
  I understand there is an auto update signature option with Version 6.1 or later which I would like to set up.
  The ASA5520's are running Cisco Adaptive Security Appliance Software Version 8.2(5).
  Can anyone recommend whether I should be looking at upgrading to Version 6.2 or 7.0 and perhaps why.
  Do I also just apply the engine update and then update the latest signatures for good measure.
  I was thinking of doing the upgrade through the IDM and was a bit confused about the recovery and system images and what the correct procedure should be e.g. backup the AIP config, tftp the existing image, install the new engine image and reboot the sensor?
  Any comments or assistance would be appreciated.
  Thanks, Peter.

  Hello Peter,
  Hope you are doing fine,
  I would encourage you to go to the latest IPS image available now days whitch is : 7.1.7 Engine 4
  Why is that?
  Because you will ensure you will have a device with the latest image that will provide you fixes to previous bugs, new features, etc etc.
  So go for it.
  Now regarding the upgrade
  From the CLI
  On configuration terminal mode
  Configuration  terminal
       upgrade ftp://user:[email protected]/upgrade_file_name
  http://www.networkstraining.com/how-to-upgrade-the-cisco-ips-module-aip-ssm/
  Regards,
  Julio Carvajal

• How to buy license? for AIP-SSM-10 ?

  Hi all
  how to buy license? for AIP-SSM-10 ?
  1. CON-SU1-AS1A1PK9 this is Cisco SMARTnet Support for AIP-SSM-10
  2. do I need smartnet for ASA ?
  3. what is part number of license ?
  ASA5510test# session 1
  Opening command session with slot 1.
  Connected to slot 1. Escape character sequence is 'CTRL-^X'.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption. Importers, exporters, distributors and
  users are responsible for compliance with U.S. and local country laws. By using
  this product you agree to comply with applicable laws and regulations. If you
  are unable to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  ***LICENSE NOTICE***
  There is no license key installed on the SSM-IPS10.
  The system will continue to operate with the currently installed
  signature set.  A valid license must be obtained in order to apply
  signature updates.  Please go to http://www.cisco.com/go/license
  to obtain a new license or install a license.
  sensor#
  sensor# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.0(6)E3
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S399.0                   2009-05-06
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          ........
  No license present
  Sensor up-time is 21 min.
  Using 655507456 out of 1032499200 bytes of available memory (63% usage)
  application-data is using 39.7M out of 166.8M bytes of available disk space (25%
  usage)
  boot is using 37.6M out of 68.6M bytes of available disk space (58% usage)
  MainApp          N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  AnalysisEngine   N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  CLI              N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500
  Upgrade History:
    IPS-K9-6.0-6-E3   17:48:06 UTC Wed Jul 15 2009
  Recovery Partition Version 1.1 - 6.0(6)E3
  sensor#

  Hi,
  CON-SU1-AS2A10K9 contract if for ASA+IPS bundle. If AIP-SSM-10 ws purchased as a spare the contract would be CON-SU1-ASIP10K9.
  I am not sure whether or not this Cisco Service for IPS contract can be  used to cover just the AIP-SSM-10 if it was purchased as part of a  Bundle instead of a Spare.
  I would recommend that you check with your Cisco reseller or Cisco  Sales Representative.
  Sourav

• Using ASA5510 AIP-SSM in IDS mode

  Hi,
  I' ve a Cisco ASA5510 with  AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
  without the traffic passing through the Firewall.
  I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit  all the traffic to the  Sensor but it doesn't work, no packet recived on sensor.
  somebody can help me?
  thanks

  Unfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
  The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
  The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
  It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
  - Bob

• ASA failover with 1 AIP SSM in Active/Standby?

  I have a customer with two ASAs; in Active/Standby. They want to purchase one AIP. Will failover (without the AIP functionality) to the Standby work if the AIP is configured for Promiscuous mode? Thanks, Bob

  The only connection to the SSM that can be done internally through the ASA is a "session". This is an internal telnet to the SSM and can be used to access the SSM's CLI.
  This is very usefull when you manage your SSM directly through the CLI.
  However, most customers prefer to use a graphics based tool like IDM, ASDM, or CSM for managing the configuration of the SSM, and prefer to use a graphics based tool like IEV or CS MARS for monitoring of the alerts from the SSM.
  All of these graphics based tools need network access to the SSM through a web port (https on port 443 by default). Access to this port is not allowed internally through the ASA direct to the SSM.
  All web connections must be made to the External Management interface of the SSM.
  If you are not using all 4 of your ASA interfaces you could choose to wire the External SSM interface directly to one of your ASA interfaces, and create a small subnet for the ASA and IPS IP Addresses. So then all external connections to the SSM would be routed into the ASA, then out of the ASA, and into the external port of the SSM.
  That subnet of just the ASA and SSM could be made using a network reserved for local IPs (like a 10, or 172, or 192 network) and then use NAT/PAT for translation on the other network interfaces of the ASA.
  But it does still require that wire connected to the external port of the SSM.

• Sync configs between AIP-SSMs

  We have a pair of ASA 5520s in active/stanby mode. This part of the situation works great, configurations are always synced to the standby, nothing is lost. Planned failover has worked every time without users even noticing.
  We have an AIP-SSM-20 in each.
  The challenge arises as it seems there is still no easy and automatic way to sync the configuration of the SSMs together.
  Due to all the false positives, we need to perform configurations on the AIP-SSMs. Is there a method I am overlooking, how do you do it?
  Thanks.

  Thanks for your reply. I've gotten back on this subject....
  Does this run as a service, like it is running all the time and needs to be installed on a system which is always up, or does this run as an application only as needed.
  Based on the requirements, I can not tell. It can run on desktop OSes or Server OSes.
  "Hard Drive
  • 100 GB
  Memory (RAM)
  • 2 GB
  Supported Operating Systems
  • Windows Vista Business and Ultimate (32-bit only)
  • Windows XP Professional (32-bit only)
  • Windows 2003 server
  Note: Cisco IPS Manager Express supports only the 32-bit U.S. English version of Windows."
  100GB for an application, seems rather hefty to me. Is this for real?
  Thanks

• AIP-SSM Upgrade Procedure

  Hi everybody!
  I have ASA5520 version 8.2(1) with AIP-SSM-20 module
  and I want to upgrade AIP-SSM-20 software from version 6.1(3)E3 to 7.0(2)E4
  I go to the download site and see the following list:
  Intrusion Prevention System (IPS) Recovery Software:
  IPS-K9-r-1.1-a-7.0-2-E4.pkg
          Release Date: 29/Mar/2010
          IPS Recovery Image File
  Intrusion Prevention System (IPS) Signature Updates:
  IPS-sig-S481-req-E4.pkg
          Release Date: 31/Mar/2010
          E4 Signature Update S481
  Intrusion Prevention System (IPS) System Software:
  IPS-SSM_20-K9-sys-1.1-a-7.0-2-E4.img
          Release Date: 29/Mar/2010
          IPS-SSM_20 System Image File
  Intrusion Prevention System (IPS) System Upgrades
  IPS-K9-7.0-2-E4.pkg
          Release Date: 29/Mar/2010
          IPS 7.0 Major Upgrade File (All Supported Platforms Except AIM-IPS and NME-IPS)
  IPS-engine-E4-req-7.0-2.pkg
          Release Date: 29/Mar/2010
          IPS E4 Engine Update
  I am somewhat confused by the number of files and want to ask what the procedure/sequence I should follow to upgrade?

  This is the file that you would like to use to upgrade it:
  Intrusion Prevention System  (IPS) System Upgrades
  IPS-K9-7.0-2-E4.pkg
  To upgrade:
  1) Upload the "IPS-K9-7.0-2-E4.pkg" file through IDM
  2) IDM --> Configuration --> Sensor Management --> Update Sensor --> choose Update is located on this client --> choose the "IPS-K9-7.0-2-E4.pkg" file --> hit the "Update Sensor" button.
  It will take a while (around 20 minutes) to upgrade the sensor, so don't panic if it doesn't come back up in "UP" status straight away.
  Hope that helps.