Cisco IPS ASA SSM-10

Similar Messages

• Cisco IPS ASA SSM-10 Connectivity Issues

  I am having trouble with connectivity and the IPS Module. The IPS management interface is plugged into a dell powerconnect switch using a straight cable and it shows a link. However I cannot ping the ip address i have assigned the management interface. Its almost like the interface is shutdown. Could this be the case? Can the management interfacee shutdown? If so how do I bring it up? If not what would be some troubleshooting techniques with the IPS Module?

  First of all issue the command:
  "show module 1 details"
  To check if your module is in UP state.
  If it is not UP, have a look at:
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00808908d5.shtml
  Also check if the port is UP/UP on the switch.
  Please also note that in order for the IPS IP to be pingable. the SOURCE pinging should be Permitted in the access-list of the IPS (which can be done using the 'setup' command or under service host). A better approach would be to ping the machine from the IPS itself, as this is not dependent on the Access List on the IPS.
  Regards
  Farrukh

• Evet Store on IPS ASA-SSM-10

  Hi Guys.
  I'm trying to find out the size of the evnet store for the IPS ASA-SSM-10 and if it's possible to configure how it will be overwritten.
  I can't find any information about it.
  Does anyone konw anything?
  Best Regards

  Ernesto
  I found this in the configuration manual for the IPS:
  The following password recovery options exist:
  ?If another Administrator account exists, the other Administrator can change the password.
  ?If a Service account exists, you can log in to the service account and switch to user root using the command su - root. Use the password command to change the CLI Administrator account's password. For example, if the Administrator username is "adminu," the command is password adminu. You are prompted to enter the new password twice. For more information, see Creating the Service Account.
  You can reimage the sensor using either the recovery partition or a system image file.
  If you want to see more detail here is the URL:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055dfcd.html
  HTH
  Rick

• Monitor Inspection Load IPS ASA-SSM-20

  All,
    I am aware there is a feature request but don't see any updates.  Taking the chance here that its fallen through the cracks and someone has figured out another way to monitor inspection load on ASA-SSM-20 IPS.  We are currently running 7.0(5a)E4.  I want to be able to use Solarwinds Orion to monitor Inspection Load on our IPS devices.  Does anyone know if that is yet possible...if so how?
  Thanks!

  Bump +1

• Evaluating cisco IPS AIP-SSM-10 allong side Tipping Point S330

  Hello all,
  What are your thoughts on this matter?  I am also going to be looking at the Palo Alto solution for IPS as well.
  I'm probably going to use the cisco 4200 sensors if they offer multi segment like the tipping point does. 
  I'm looking at protecting the perimiter but NOT replacing my current firewall.  The current firewall is the Microsoft TMG.
  I like what I see on the Cisco IPS express.  I've also looked at the CSM for management.  It seems that Cisco is a lot more flexible when it comes to editing and managing the signatures.
  ARe there similar experiences out there that you would like to share?
  Thanks!
  Kurt

  Both products are pretty strong. But Tipping point have a much more comprehensive, promptly updated, and a well managed signature base. Both products can monitor multiple segements (terminologies are different).
  A good way to compare is to subsribe to their IPS signature updates and see the difference, I mean both from Cisco and DV labs
  BR
  Farrukh

• ASA IPS/ASA-SSM-10 Password Lost

  Hi.
  I just started administering a ASA with IPS module, but password is lost. I have tried default but cannot.
  If I try to tftp using management it even is on but Switch does not see it up and cannot administer from there.
  How can I recover password from IPS module?

  Ernesto
  I found this in the configuration manual for the IPS:
  The following password recovery options exist:
  ?If another Administrator account exists, the other Administrator can change the password.
  ?If a Service account exists, you can log in to the service account and switch to user root using the command su - root. Use the password command to change the CLI Administrator account's password. For example, if the Administrator username is "adminu," the command is password adminu. You are prompted to enter the new password twice. For more information, see Creating the Service Account.
  You can reimage the sensor using either the recovery partition or a system image file.
  If you want to see more detail here is the URL:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055dfcd.html
  HTH
  Rick

• Need assistance to configure ASA-SSM-10

  Hello All,
     Can someone assist me on setting up the IPS ASA-SSM-10 module in ASA 5520 firewall . I have just licensed the box. It would be great if someone can help me with relevant videos\docs to configure the SSM module to enable all the required IPS features for the box to run. I am running ASDM 6.4 and if anyone has the configs to enable via ASDM\CLI whichever is feasible is fine . Kindly assist .Below is the module details.
  ASA 5500 Series Security Services Module-10
  Model:              ASA-SSM-10
  Hardware version:   1.0
  Firmware version:   1.0(11)5
  Software version:   7.1(8)E4
  App. name:          IPS
  App. Status:        Up
  App. Status Desc:   Normal Operation
  App. version:       7.1(8)E4
  Data plane Status:  Up
  Status:             Up
  Regards,
  Karthik

  Do you need the syslogs to be sent or the Events.
  IPS sensors do not support syslog forwarding.  Syslog is fairly
  restrictive in size of messages and is not secure or reliable.
  sensor does support sending of events using SNMP
  (again with the same sets of restrictions:  not full data, clear text,
  not reliable).
  There is a physical ability to send events as traps.  It isn't
  recommended for many reasons (or lets say it isn't recommended in the
  same way that monitoring using SDEE is).  SNMP trap receivers generally
  aren't built to handle, say 200 events per second per device.  The
  sensor isn't capable of sending at the same event rate as it is with
  SDEE.  The traps are in clear text and are not reliably sent.  They
  don't contain the same amount of info as an SDEE event, and can't.
  If you need the events to  be sent to a database you can run cisco IME which can collect all the events generated by the IPS.
  Hope this helps.
  Sachin

• Correlating Cisco ASA-SSM-IPS Events/Logs

  I have just configured a Cisco ASA-SSM-IPS10. An exciting feature of this decice is the ability to monitor, analyse, and correlate security events. Can anybody help with a documentation to simplify daily (or periodic) analysis, and correlation of the IPS Logs? As I am not yet to up to speed with this task yet, a "How-to" document would be just fine.  Thank you.

  Hi Chris,
  Good to have you get on the case. I am yet to setup and ips manager software. Presently, I use an ASDM 6 interface, with this interface, I am able to view events and alerts, and perform other adminsitrative cores... The IPS manager express does it comes bundle with our device purchase? Does it contain necesary templates/docs for correlating events/Logs?

• Cisco IPS SSM 10 Sensor can't update signature file from ASA 5510

  Cisco ASA 5510 IPS Firewall with ASA-SSM-10 Module.  I am trying to do a manual update of the signature file and get the following error:
  Error: execUpgradeSoftware : couldn't connect to host
  I have confirmed that I can ping the ftp server successfully from the ASA and the command I am trying to use from the configure terminal of the module is:
  upgrade ftp://[email protected]//IPS-sig-S813-req-E4.pkg
  I have also tried via http and it does not work as well.  Any thoughts?

  to connect to ftp there should be username usually anonymous and password whitch can be any. check in ftp server
  aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
  User: anonymous
  Password: *********
  the username and/or the password are incorrect
  aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
  User: 123
  Password: ***
  File opening error
  I made special user 123 on ftp server with password 123
  aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
  User: 123
  Password: ***
  aip_ssm_card# 
  and dont forget to rate post

• ASA SSM IPS module upgrade won't work

  Hello all,
  I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
  I followed these steps provided by Cisco.com:
  1. Log in to the ASA.
  2. Enter enable mode:
  asa# enable
  3. Configure the recovery settings for ASA-SSM:
  asa (enable)# hw-module module 1 recover configure
  NOTE: If you make an error in the recovery configuration, use the
  hw-module module 1 recover stop command to stop the system reimaging
  and then you can correct the configuration.
  4. Specify the TFTP URL for the system image:
  Image URL [tftp://0.0.0.0/]:
  Example:
  Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
  5. Specify the command and control interface of ASA-SSM:
  Port IP Address [0.0.0.0]:
  Example:
  Port IP Address [0.0.0.0]: 11.21.31.41
  6. Leave the VLAN ID at 0.
  VLAN ID [0]:
  7. Specify the default gateway of the ASA-SSM:
  Gateway IP Address [0.0.0.0]:
  Example:
  Gateway IP Address [0.0.0.0]: 11.22.33.44
  8. Execute the recovery:
  asa# hw-module module 1 recover boot
  9. Periodically check the recovery until it is complete.
  NOTE: The status reads "Recovery" during recovery and reads "Up" when
  reimaging is complete.
  AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
  I opened a Ciscop TAC on this and not receiving alot of help...
  Please help!!!:)
  Thanks
  Chris Serafin
  [email protected]

  The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
  How long have you left the SSM in the "recovery" state?
  There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
  Execute "debug module-boot" on the console of the ASA.
  The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
  If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
  Some typical problems I have seen:
  1) Wrong IP given for the sensor.
  2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
  3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
  4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
  5) The file name is wrong. Check the captialization especially.
  6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
  tftp://10.20.30.40/subdirectoryname/filename
  7) The tftp is timing out.
  There are 2 things that can cause this:
  a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
  b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
  If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
  It will stop the reboot cycle from happening.
  Let the module come up with the old image.
  Then correct your "recover configure" settings, and try the "recover boot" again.
  Another alternative:
  Stop the recovery "recover stop"
  Let it boot into the old image.
  If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
  The "recover" from the ASA will wipe the box clean and load a fresh image.
  The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
  5.1 upgrade file:
  IPS-K9-min-5.1-1g.pkg
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
  The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
  For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM).

• Proper ASA-SSM-20 IPS and MARS Intergration

  I?m trying to understand how to best manage my MARS and ASA-SSM-20 IPS implementation. I?ve been running this solution for about 2 months and have been experimenting with how to manage alert s from the blades to MARS.
  The MARS documentation says to configure 2 Event Action Override -Verbose Alerts and Log Pair Packets. However there seems to be a major drawback:
  1. The IPS generates alert for signatures that by default have no alert action configured. At first glance this seems ok, but over time I found that many false positives are generated for signatures that would otherwise remain quite.
  My question is, how should this be managed? I want verbose alerts and logged pair packets for signatures that produce alerts by default, but if I manually configure this, is there a performance consideration?

  You might be hitting the bug CSCuc34812.
  Please contact Cisco TAC to have the issue analyzed.
  Regards,
  Sawan Gupta

• How do I backup an IPS config (ASA-SSM-10)

  Hi,
  How do I backup an IPS config (ASA-SSM-10)?
  Thanks

  There is a copy command in the IPS CLI that can be used to copy the current configuration to a backup configuration on the sensor itself.
  Or to copy the current configuration to an FTP or SCP server.
  The copy command can then be used to copy a configuration from backup or from an FTP or SCP server back to the running configuration of the sensor.
  http://www.cisco.com/en/US/docs/security/ips/6.2/command/reference/crCmds.html#wp458440

• Upgrading IPS strings, ASA SSM-10 module

  I am having a challenging time upgrading the ASA SSM-10 IPS module. I down loaded the IPS-sig-s327-req-e1.pkg to Win XP ftp server (my workstation). The instructions in following does not work: http://download-sj.cisco.com/cisco/ciscosecure/ips/6.x/sigup/IPS-sig-S327.readme.txt
  "error: execUpgradeSoftware : Connect failed". Any suggestion would be appreciated.

  I can connect the LAN switch directly to the inside interface of the ASA5510 firewall. Hosts can get Internet connectivity while cabled to the switch. However, when the LAN switch is connected to the port on the IPS module, there is no Internet connectivity. Any suggestions would be appreciated. The following is the sh configuration and sh int output.
  sh con_[Jfiguration
  Version 5.1(6)
  ! Current configuration last modified Sat Apr 05 12:28:11 2008
  service interface
  exit
  service analysis-engine
  virtual-sensor vs0
  physical-interface GigabitEthernet0/1
  exit
  exit
  service authentication
  exit
  service event-action-rules rules0
  exit
  service host
  network-settings
  host-ip 192.168.1.36/24,192.168.1.10
  host-name ips
  telnet-option enabled
  --MORE--
  access-list 0.0.0.0/0
  exit
  time-zone-settings
  offset 0
  standard-time-zone-name UTC
  exit
  exit
  service logger
  exit
  service network-access
  exit
  service notification
  exit
  service signature-definition sig0
  exit
  service ssh-known-hosts
  exit
  service trusted-certificates
  --MORE--
  exit
  service web-server
  exit
  ips# sh inter_[Jfaces _[2C
  Interface Statistics
  Total Packets Received = 6806
  Total Bytes Received = 2001784
  Missed Packet Percentage = 0
  Current Bypass Mode = Auto_off
  MAC statistics from interface GigabitEthernet0/1
  Interface function = Sensing interface
  Description =
  Media Type = backplane
  Missed Packet Percentage = 0
  Inline Mode = Unpaired
  Pair Status = N/A
  Link Status = Up
  Link Speed = Auto_1000
  Link Duplex = Auto_Full
  Total Packets Received = 6807
  Total Bytes Received = 2001866
  Total Multicast Packets Received = 0
  Total Broadcast Packets Received = 0
  Total Jumbo Packets Received = 0
  Total Undersize Packets Received = 0
  Total Receive Errors = 0
  Total Receive FIFO Overruns = 0
  Total Packets Transmitted = 6807
  --MORE--
  Total Bytes Transmitted = 2017118
  Total Multicast Packets Transmitted = 0
  Total Broadcast Packets Transmitted = 0
  Total Jumbo Packets Transmitted = 0
  Total Undersize Packets Transmitted = 0
  Total Transmit Errors = 0
  Total Transmit FIFO Overruns = 0
  MAC statistics from interface GigabitEthernet0/0
  Interface function = Command-control interface
  Description =
  Media Type = TX
  Link Status = Down
  Link Speed = N/A
  Link Duplex = N/A
  Total Packets Received = 126
  Total Bytes Received = 14255
  Total Multicast Packets Received = 0
  Total Receive Errors = 0
  Total Receive FIFO Overruns = 0
  Total Packets Transmitted = 1
  Total Bytes Transmitted = 64
  Total Transmit Errors = 0
  Total Transmit FIFO Overruns = 0

• CISCO ASA SSM-10

  I have an ASA 5520, and I have Cisco ASA SSM-10, but I'm not sure how to work with it. My problems are here:
  1. What software do I need to get this to work
  2. From the rj45 connection on this module, where does it connects to.
  3. Give me some guide to configure it and test to see if it works.

  Hi,
  you need to do couple of things to get this to work.
  1. Configuration on ASA to forward the traffic to the module
  2. Chose whether you are going to plug the IPS in inline/promiscious mode
  3. Configure the IPS module
  Configuring ASA to forward the traffic to the module:-
  access-l IPS permit ip any any
  class-IPS
  match access-list IPS
  policy-map global-policy
  class IPS
  IPS inline/promiscious fail-open/fail-close
  When you do this ASa is configured to send the traffic to the module.
  Now you need to get in to the IPS
  you can get in to the through CLI on ASA:-
  do session 1
  it will ask you for username and password
  both are cisco by default
  run the command setup
  and it will walk you through the initial configuration of the sensor.
  once the sensor is configured
  log in to the IDM
  and need to go to configuration>> policies and assign vs0 to the backplane interface of the module so that sigs come in to the act of the traffic.
  you can connect the module in front of the IPS to the switch vlan where the other interface exist from where you want to see this traffic and want ips to come into act.
  Suppose you want to apply the IPS on inside network
  ASA inside interface ip:-192.168.1.1
  Module ip:-192.168.1.3/192.168.1.1
  Here the gateway for the module is the ASA inside interface.
  now all the traffic going outbound or coming in from the inside itnerface will be monitored by the IPS.
  now connect the ethernet interface of the module to the same vlan on switch where your inside interface is connected.
  Now you can even manage the IDM of the IPS just like you manage the ASDM for the ASA, you just need to have your host/network allowed to gain access to it.
  Thanks

• Swap Cisco ASA SSM-10 from dead firewall

          Good afternoon,
  I currenty have 2 cisco 5510 firewalls one of the firewals is completly dead but contains a Cisco ASA SSM-10 can i remove this card and just place it into a working unit, will i have any problems doing so.
  Regards
  Paul

  No, that shouldn't be a problem at all as the serial number of the SSM-10 module does not get linked to the actual ASA appliance.