AIP-SSM Configuration Maintenance in Active Stdby modes

Similar Messages

• AIP-SSM configured with event action "produce alert", but it drop packets

  Hi, I configured an AIP-SSM IPS on event action for "Produce Alert", but when fire a signature, it drop the packets. So, what will be the problem?

  Try these links:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/clievact.htm#wp1034058
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

• AIP-SSM configuration assistance

  I have two questions regarding the AIP-SSM.
  1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?
  2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
  3) Should then the management interface be used as the gateway for the SSM?
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 65.x.x.1 255.255.255.0 standby 65.x.x.2
  interface GigabitEthernet0/1
  nameif dmz
  security-level 50
  ip address 172.16.x.1 255.255.255.0 standby 172.16.x.2
  interface GigabitEthernet0/2
  nameif inside
  security-level 100
  ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2
  interface GigabitEthernet0/3
  description LAN/STATE Failover Interface
  interface Management0/0
  speed 100
  duplex full
  nameif management
  security-level 100
  ip address 10.0.x.1 255.255.255.0 standby 10.0.x.2
  management-only

  Here are the answers to your questions-
  1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?
  Ans) No. ACL on SSM is completely independent of ACLs on ASA.
  2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
  Ans) Absolutely. You can assign the management port of SSM an IP in the same subnet as your managemnet interface. That way all management traffic will be kept independent of normal DATA traffic.
  3) Should then the management interface be used as the gateway for the SSM?
  Ans) You are right .. :-)
  Hope that helps.
  Regards,
  Vibhor.

• AIP-SSM configuration / blocking SMTP

  Hi all,
  I need some help regarding a deployment of a IPS module on a ASA. I configured it in transparent mode, with the intention to only monitor the traffic going through the module. Otherwise after aplying the policy and put it in operation, it started blocking SMTP and ICMP traffic. Here follows the configuration applied to it:
  class-map outside-class
  match any
  policy-map outside-policy
  class outside-class
  ips promiscuous fail-open
  service-policy outside-policy interface outside
  Is there anything else I should consider to put this module just monitoring the traffic instead of having it denying any traffic?
  Thanks in Advance

  You may need to create an access-list permitting all traffic, and then apply the access-list to both interfaces in both directions (in and out).
  This will ensure connections can go from the lower security zone to the higher as well as from the higher security zone to the lower.
  You may also need to add icmp permit lines to permit icmp traffic through each interface.

• Transparent mode with AIP-SSM-20

  I currently have an ASA5510 in routed mode with an AIP-SSM-20.
  There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
  However, this will remove the IPS device, and I still want to use IPS.
  So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
  Setup would look something like this:
  Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
  Can the AIP-SSM still perform IPS with the ASA in transparent mode?
  Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
  I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
  Regards.

  AFAIR, There is no problem to setup AIP in a transparent firewall.
  "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
  What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Marcin

• Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

  Hi,
  I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

  No, both units need the same hardware, that includes the installed modules.
  Sent from Cisco Technical Support iPad App

• Do I need two AIP-SSM modules if I am configuring failover?

  Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?
  I would like to configure the module in the first ASA with the fail-open setting.  Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.
  Would there be any problems configuring it this way?
  Would the active/standby ASA's complain that there is only one AIP-SSM module?
  Thanks in advance.

  Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.
  Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
  Your kind answer will be greatly appreciated.
  Best regards...

• ASA failover with 1 AIP SSM in Active/Standby?

  I have a customer with two ASAs; in Active/Standby. They want to purchase one AIP. Will failover (without the AIP functionality) to the Standby work if the AIP is configured for Promiscuous mode? Thanks, Bob

  The only connection to the SSM that can be done internally through the ASA is a "session". This is an internal telnet to the SSM and can be used to access the SSM's CLI.
  This is very usefull when you manage your SSM directly through the CLI.
  However, most customers prefer to use a graphics based tool like IDM, ASDM, or CSM for managing the configuration of the SSM, and prefer to use a graphics based tool like IEV or CS MARS for monitoring of the alerts from the SSM.
  All of these graphics based tools need network access to the SSM through a web port (https on port 443 by default). Access to this port is not allowed internally through the ASA direct to the SSM.
  All web connections must be made to the External Management interface of the SSM.
  If you are not using all 4 of your ASA interfaces you could choose to wire the External SSM interface directly to one of your ASA interfaces, and create a small subnet for the ASA and IPS IP Addresses. So then all external connections to the SSM would be routed into the ASA, then out of the ASA, and into the external port of the SSM.
  That subnet of just the ASA and SSM could be made using a network reserved for local IPs (like a 10, or 172, or 192 network) and then use NAT/PAT for translation on the other network interfaces of the ASA.
  But it does still require that wire connected to the external port of the SSM.

• Step to prep CSC SSM on ASA Active/Standby mode

  Hi all, 
  I am trying to setup Active/Standby HA mode for my site.
  Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
  My question:
  01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
  Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
  What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
  Thanks
  Noel

  Hello Yong,
  Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
  Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
  IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• Configuring SNMP Trap receiver on AIP-SSM sensor

  I receive the following error message from my ASA5520 firewall when attempting to forward SNMP traps from my AIP-SSM20 sensor to a server on my Inside interface that is configured to receive SNMP traps:
  ASA-4-418001: Through-the-device packet to/from management-only network is denied: udp src management: 10.3.21.2/32768 dst Inside: PPC0ES/162
  Can I reconfigure the management IP address of the AIP-SSM sensor to connect to the Inside interface instead of the management vlan or does my SNMP server have to reside on the management vlan with the sensor?

  Hi Subodh,
  Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
  If you have any other specific questions, feel free to post back.
  Hope that helps.
  -Mike

• Configuring AIP-SSM modelue

  hi,
  we have AIP-SSM-40 modeule installed on ASA 5540 but it is just physically present.
  Is it possible to configure to this modeule in inline or like IDS mode? It has only one Ethernet interface. Can this interface be treated as sensor interface and mark a copy of all incoming frames on this interface ( by SPA on switches ).
  Please share the experience.
  Thanks in advance.
  Subodh

  Hi Subodh,
  Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
  If you have any other specific questions, feel free to post back.
  Hope that helps.
  -Mike

• Using ASA5510 AIP-SSM in IDS mode

  Hi,
  I' ve a Cisco ASA5510 with  AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
  without the traffic passing through the Firewall.
  I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit  all the traffic to the  Sensor but it doesn't work, no packet recived on sensor.
  somebody can help me?
  thanks

  Unfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
  The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
  The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
  It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
  - Bob

• Configuring AIP SSM to monitor only

  Hi all,
  We purchased an AIP-SSM-20 for our ASA5520. Is there a way to enable IPS functionality, but not block anything, i.e. just log events? This is just to see if any legitimate company traffic will be blocked.
  Thanks!
  Jacques

  Configure the ASA to send traffic to the IPS in promiscuous mode using the following command in a policy-map:
  hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close |
  fail-open} [sensor {sensor_name | mapped_name}]
  http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
  Geroge

• Activating IPS AIP-SSM

  Hello Everyone,
  Some time ago we purchase a couple of ASA5510s with the IPS aip-ssm modules in them. I got them installed and got the vpns running, but never activated the IPS module on them.
  I am getting ready to get the IPS modules going. But, don't I need some time of subscription so that the IPS module can download signature updates?
  Does anyone know what the part number on that subscription is? I am seeing listings for "content security plus" licenses, but I think that is something different. I am also seeing licenses for Botnet traffic filter licenses. But, again, I am not sure if that's the right one.
  Thanks,
  Ben

  You will need a subscription license in order to take advantage of signature and Global Correlation updates. The official name for this license is "Cisco Services for IPS".  Take a look at the following Q&A doc which covers some of the part numbers.
  http://www.cisco.com/en/US/services/ps2827/ps6076/services_qa0900aecd8022e962.pdf

• How to tell if Active/active or Active/Standby mode is configured?

  Folks:
  I am still learning the output of my running config, but how do I tell if my firewall is set to Actve/Active or Active/Standby mode?
  In addition, how do I tell if it uses regular or stateful failover mode?
  Thank you

  I wanted to provide this as well, since I found it and it also helped me answering my question.
  This output shows Active/Active failover output.
  **Note** it says PIX; however, I beleive it will be the same output for ASA.
  PIX1(config-subif)#show failover
  Failover On
  Cable status: N/A - LAN-based failover enabled
  Failover unit Primary
  Failover LAN Interface: LANFailover Ethernet3 (up)
  Unit Poll frequency 15 seconds, holdtime 45 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 250 maximum
  Version: Ours 7.2(2), Mate 7.2(2)
  Group 1 last failover at: 06:12:45 UTC Apr 16 2007
  Group 2 last failover at: 06:12:43 UTC Apr 16 2007
    This host:    Primary
    Group 1       State:          Active
                  Active time:    359610 (sec)
    Group 2       State:          Standby Ready
                  Active time:    3165 (sec)
                    context1 Interface inside (192.168.1.1): Normal
                    context1 Interface outside (172.16.1.1): Normal
                    context2 Interface inside (192.168.2.2): Normal
                    context2 Interface outside (172.16.2.2): Normal
    Other host:   Secondary
    Group 1       State:          Standby Ready
                  Active time:    0 (sec)
    Group 2       State:          Active
                  Active time:    3900 (sec)
                    context1 Interface inside (192.168.1.2): Normal
                    context1 Interface outside (172.16.1.2): Normal
                    context2 Interface inside (192.168.2.1): Normal
                    context2 Interface outside (172.16.2.1): Normal