AIP-SSM configuration / blocking SMTP
Hi all,
I need some help regarding a deployment of a IPS module on a ASA. I configured it in transparent mode, with the intention to only monitor the traffic going through the module. Otherwise after aplying the policy and put it in operation, it started blocking SMTP and ICMP traffic. Here follows the configuration applied to it:
class-map outside-class
match any
policy-map outside-policy
class outside-class
ips promiscuous fail-open
service-policy outside-policy interface outside
Is there anything else I should consider to put this module just monitoring the traffic instead of having it denying any traffic?
Thanks in Advance
You may need to create an access-list permitting all traffic, and then apply the access-list to both interfaces in both directions (in and out).
This will ensure connections can go from the lower security zone to the higher as well as from the higher security zone to the lower.
You may also need to add icmp permit lines to permit icmp traffic through each interface.
Similar Messages
-
AIP-SSM configured with event action "produce alert", but it drop packets
Hi, I configured an AIP-SSM IPS on event action for "Produce Alert", but when fire a signature, it drop the packets. So, what will be the problem?
Try these links:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/clievact.htm#wp1034058
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml -
AIP-SSM configuration assistance
I have two questions regarding the AIP-SSM.
1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?
2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
3) Should then the management interface be used as the gateway for the SSM?
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.x.x.1 255.255.255.0 standby 65.x.x.2
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 172.16.x.1 255.255.255.0 standby 172.16.x.2
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 10.0.x.1 255.255.255.0 standby 10.0.x.2
management-onlyHere are the answers to your questions-
1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?
Ans) No. ACL on SSM is completely independent of ACLs on ASA.
2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
Ans) Absolutely. You can assign the management port of SSM an IP in the same subnet as your managemnet interface. That way all management traffic will be kept independent of normal DATA traffic.
3) Should then the management interface be used as the gateway for the SSM?
Ans) You are right .. :-)
Hope that helps.
Regards,
Vibhor. -
AIP-SSM Configuration Maintenance in Active Stdby modes
So, I'm pretty new to the AIP-SSM but not to ASA's. It appears that very little of the AIP module config gets copied over to the Stdby AIP, nothing other than what appears in the ASA config (ACL's, etc.). So, do all the config elements particular to the module itself have to be manually reproduced on the Stdby module, either by hand entry or config copies moved between the two?
So in Active/Standby scenarios with AIP-SSM, what is the reasoning for not having a feature for automatically copying over module config changes as with the ASA config?
If there is no good reason, is it on the AIP-SSM road map to provide this feature?
This can be a real pain in the arse for complex IPS configs. You have to do everything twice, and right away, so you won't miss anything should the ASA'a flip. -
Transparent mode with AIP-SSM-20
I currently have an ASA5510 in routed mode with an AIP-SSM-20.
There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE. This part should present no issue.
However, this will remove the IPS device, and I still want to use IPS.
So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN. The transparent ASA would be functioning strictly as an IPS appliance.
Setup would look something like this:
Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
Can the AIP-SSM still perform IPS with the ASA in transparent mode?
Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
Regards.AFAIR, There is no problem to setup AIP in a transparent firewall.
"An ASA in transparent mode can run an AIP. In the event the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
HTH,
Marcin -
Do I need two AIP-SSM modules if I am configuring failover?
Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?
I would like to configure the module in the first ASA with the fail-open setting. Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.
Would there be any problems configuring it this way?
Would the active/standby ASA's complain that there is only one AIP-SSM module?
Thanks in advance.Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.
Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
Your kind answer will be greatly appreciated.
Best regards... -
How to block p2p applications(Bittorent like) with AIP-SSM-10?
Hi,
How to block p2p application using AIP-SSM-10 working with ASA5520?AIP is on promiscuous mode.
Thanks,
SivaThere are several signatures that detect p2p, for bit torrent there is 11020.0
Yahoo triggers: 5539.0, 11200.0, 11212.0, 11217.0 & 11219.0
etc..
Some are disabled by default though so please ensure you enable the ones that you need.
If you want to block these then you will have to use event actions that work in promiscuous setup for example request block connection and tcp reset. Please note that care must be taken when using these event actions.
For more information about the event actions please refer the link below:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmevtrul.htm#wp1069467 -
Configuring SNMP Trap receiver on AIP-SSM sensor
I receive the following error message from my ASA5520 firewall when attempting to forward SNMP traps from my AIP-SSM20 sensor to a server on my Inside interface that is configured to receive SNMP traps:
ASA-4-418001: Through-the-device packet to/from management-only network is denied: udp src management: 10.3.21.2/32768 dst Inside: PPC0ES/162
Can I reconfigure the management IP address of the AIP-SSM sensor to connect to the Inside interface instead of the management vlan or does my SNMP server have to reside on the management vlan with the sensor?Hi Subodh,
Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
If you have any other specific questions, feel free to post back.
Hope that helps.
-Mike -
Configuring AIP SSM to monitor only
Hi all,
We purchased an AIP-SSM-20 for our ASA5520. Is there a way to enable IPS functionality, but not block anything, i.e. just log events? This is just to see if any legitimate company traffic will be blocked.
Thanks!
JacquesConfigure the ASA to send traffic to the IPS in promiscuous mode using the following command in a policy-map:
hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close |
fail-open} [sensor {sensor_name | mapped_name}]
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
Geroge -
hi,
we have AIP-SSM-40 modeule installed on ASA 5540 but it is just physically present.
Is it possible to configure to this modeule in inline or like IDS mode? It has only one Ethernet interface. Can this interface be treated as sensor interface and mark a copy of all incoming frames on this interface ( by SPA on switches ).
Please share the experience.
Thanks in advance.
SubodhHi Subodh,
Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
If you have any other specific questions, feel free to post back.
Hope that helps.
-Mike -
Failure to Upgrade the software of my AIP-SSM-20
Dear all,
I have failed to upgrade the software of my AIP-SSM-20 on the ASA. The AIP-SSM-20 had an Image of version IPS-K9-5.1-7-E1.pkg and I tried to upgrade it to IPS-K9-6.1-1-E2.pkg but after the upgrade the AIP-SSM-20 became unusable. I can no longer log on to the IPS Module from the ASA. When I initiated a connection to the module with session 1 command, the systems says card in slot 1 did not respond to system request. I decided to restored the system image from the ASA by using the hw-module module 1 recover configure and hw-module module 1 recover boot commands but has so far failed.When I issued the command hw-module module 1 boot command, the status of the IPS shows recover and would be in that state even for days.And my TFTP server shows that it is transfering the images to the IPS.
I don't know where I have gone wrong and I would be very happy if somebody can give me a procedure that would help me to re-image the software of the IPS.
Any help would be highly appreciated.
Claude FozaoHalijen has already send you a link to reimage,let me briefly answer what a system image and upgrade files are and the difference between them
The System Image files are meant to be used only when a complete erasing of the sensor's image is needed. This is generally because the installed files were corrupted, or so old that it would be easier to start over and make it look like it came from the factory; than to use the standard "upgrade" files.So in case you are doing reimaging than use .img files which are system reimage files
In more than 90% of the cases, most customers will want to "upgrade" rather than do a System Image. The "upgrade" is done from within the sensor itself, and will both load the higher version as well as convert your current configuration to work with the newer version.it uses .pkg files
A usual poblem with the System Re-imaging process is that the card winds up in a boot loop because of an error. When ROMMON detects an error it reboots and tries the same steps again which usually winds up with the same error which causes a reboot, etc.....
So determining if the card is in a reboot loop, and what the error is would be the next step in your debugging process.
Execute "debug module-boot". Enter "hw-module module 1 recover stop". Wait for a few minutes, and then enter "hw-module module 1 recover boot".
The output from ROMMON on the SSM will be seen on your ASA connection.Look at the configuration being passed to the SSM's ROMMON and look for any bad entries.Watch to see if it able to download the System Image file, or if it continuously reboots.
If it continuously reboots, then look to see what error message is seen just prior to the reboot.
Some common problems:
1) Typos in IP address, gateway, tftp server IP, or system image filename.
2) If the tftp server is on the same subnet as the SSM's IP Address, then try leaving the Gateway address blank since it is not needed.
3) Remember that the IP Address is for the external interface of the SSM. So be sure you are using an address that is applicable for the network where you are pluggin in the SSM's external interface.
4) If the TFTP Server is on another subnet, then be sure there is a route to the other network. If having to route back through the ASA, then ensure that the ASA will allow TFTP packets to pass through the ASA. (The ASA could wind up blocking the TFTP packets depending on the ASA configuration)
5) Be sure the file can be downloaded from the TFTP server. Check the file permissions, and the directory where the file is located. From your desktop try to downlaod the file from the tftp server. This will ensure you are using the correct directory and that the file has correct permissions. Once common problem is that the file may be /tftpboot/sensorfiles/IPS-SSM_20-K9-sys-1.1-a-6.1-1-E1.img. But because the tftp server automatically starts in /tftpboot, you may need to NOT specify it for the file and instead just use: sensorfiles/IPS-SSM_20-K9-sys-1.1-a-6.1-1-E1.img
6) Check to make sure the file is not corrupted by running an md5sum and checking it against the value listed on cisco's web site. -
Customizing signatures question on AIP-SSM
Hi all
actually our customer has an AIP-SSM module which is configured in inline mode.some users are appeared as attackers in the IPS event store .
can i deny any unwanted connection for these users without affecting on the legitimate connections of these users like internet browsing ???
i tried to make the signature action to be "deny connection inline" but when the signature fire , the user who has appeared as an attacker is totally blocked and cannot access internet.
anyone face this issue ??
please advice.
regardsHi Mohammed.
Right now I'm preparing the IPS Exam, and I have read some where that:
"deny connection inline" will stop the connection totaly. But if the same user(IP Address) has many "deny connection inline", the IPS will say that there is a problem with this PC, and I'll not lose ressource and time to block each connection, and the the IPS sensor will block the Host.
You can tune the Signature to solve this issue, but this will not solve the main problem.
But as Andy said, thier is a Sweep attack from these PCs. try to scan them with Anti-Virus, and anti-worm... because they are the source of this issues.
Sweep is a "Network Reconnaissance Attack". Please take a look at this link for more information:
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSgEng.html#wp1048257
I hope this helpful.
Best regards
Reda
[email protected] -
Using ASA5510 AIP-SSM in IDS mode
Hi,
I' ve a Cisco ASA5510 with AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
without the traffic passing through the Firewall.
I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit all the traffic to the Sensor but it doesn't work, no packet recived on sensor.
somebody can help me?
thanksUnfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
- Bob -
ASA failover with 1 AIP SSM in Active/Standby?
I have a customer with two ASAs; in Active/Standby. They want to purchase one AIP. Will failover (without the AIP functionality) to the Standby work if the AIP is configured for Promiscuous mode? Thanks, Bob
The only connection to the SSM that can be done internally through the ASA is a "session". This is an internal telnet to the SSM and can be used to access the SSM's CLI.
This is very usefull when you manage your SSM directly through the CLI.
However, most customers prefer to use a graphics based tool like IDM, ASDM, or CSM for managing the configuration of the SSM, and prefer to use a graphics based tool like IEV or CS MARS for monitoring of the alerts from the SSM.
All of these graphics based tools need network access to the SSM through a web port (https on port 443 by default). Access to this port is not allowed internally through the ASA direct to the SSM.
All web connections must be made to the External Management interface of the SSM.
If you are not using all 4 of your ASA interfaces you could choose to wire the External SSM interface directly to one of your ASA interfaces, and create a small subnet for the ASA and IPS IP Addresses. So then all external connections to the SSM would be routed into the ASA, then out of the ASA, and into the external port of the SSM.
That subnet of just the ASA and SSM could be made using a network reserved for local IPs (like a 10, or 172, or 192 network) and then use NAT/PAT for translation on the other network interfaces of the ASA.
But it does still require that wire connected to the external port of the SSM. -
We have a pair of ASA 5520s in active/stanby mode. This part of the situation works great, configurations are always synced to the standby, nothing is lost. Planned failover has worked every time without users even noticing.
We have an AIP-SSM-20 in each.
The challenge arises as it seems there is still no easy and automatic way to sync the configuration of the SSMs together.
Due to all the false positives, we need to perform configurations on the AIP-SSMs. Is there a method I am overlooking, how do you do it?
Thanks.Thanks for your reply. I've gotten back on this subject....
Does this run as a service, like it is running all the time and needs to be installed on a system which is always up, or does this run as an application only as needed.
Based on the requirements, I can not tell. It can run on desktop OSes or Server OSes.
"Hard Drive
⢠100 GB
Memory (RAM)
⢠2 GB
Supported Operating Systems
⢠Windows Vista Business and Ultimate (32-bit only)
⢠Windows XP Professional (32-bit only)
⢠Windows 2003 server
Note: Cisco IPS Manager Express supports only the 32-bit U.S. English version of Windows."
100GB for an application, seems rather hefty to me. Is this for real?
Thanks
Maybe you are looking for
-
I have tried creating a new profile, problem remains the same. None of the 3 accounts on this desktop can use Firefox anymore. This has never been a problem. Today (14.11.11) I updated Firefox to 8, and nothing anymore. Via Safari I downloaded Firefo
-
I cannot get a JTEXTArea to print in LANDSCAPE
How do I get this to work properly. I need the JTextArea to print out in Landscape not portrait. public void printReport() { display.getText(); PrinterJob job = PrinterJob.getPrinterJob(); PageFor
-
Hi Gurus, I am using oracle 11.2.0.1 Enterprise Edition. And I tried writing query different ways but unable to get going. Your help is greatly appreciated. The Query should give output as I explained below. This query is identify the gaps in interva
-
Hi QM Gurus, My client requirement is Scenario 1: Once procurement goods rejected in Quality that time rejection information (Defect details, UD details, Accepted qty, rejected qty) send to vendor as well as concern vendor follow up person automatic
-
Referencing in dreamweaver cs3
Hi guys, I like very much to find out what window.focus() does and how do I reference such a code inside Dreamweaver if its even possible. Am new to this dreamweaver forum of Adobe so I like to say "Hello & Merry Christmas" to y'all here. Huat ah..