Initial hookup of IPS-SSM in an ASA to a switch

Similar Messages

• ASA 5510 8.4(2) and IPS SSM-20 7.0(6) E4

  Hi, I'm thinking the ASA 5510, ver. 8.4(2) with IPS SSM-20 ver. 7.0(6) E4  falls into IPS unresponsive state.
  Now I'm testing the ASA 5510 ver. 8.4(2) with IPS SSM-20 ver. 7.0(4) E4, to verify if the system falls into the same condition.
  Any experience ?
  In case of incompatibility, how to downgrade ISP SSM-20 to 7.0(4) ?
  thanks
  rs

  You may remove last signature update or service pack by using "downgrade" command in config mode on IPS CLI:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_system_images.html
  "Downgrading removes the last applied service pack or signature update from the sensor."

• Cisco IPS 4240 VS Cisco ASA AIP SSM-10 Modula

  I'm looking to replace another vendor's IPS system we have at our company. We do have an ASA 5510 in our envionment currently.
  Considering I don't need the extra bandwidth of the IPS 4240 series and the AIP SSM-10 requires an ASA 5510 what are the differences?

  Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
  The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
  - Bob

• Cisco ASA IPS SSM-10

  Hello,
  I just upgraded one of my Cisco ASA IPS SSM-10 from version 7.0 (6) E4 to version 7.0 (7) E4 and the Radius authentication stopped working. I use Microsoft 2008 Radius and I still have 10 more of these working with version 7.0 (6) E4.
  I used to have the same Radius authentication issue with version 6 until we upgraded to ver 7.0 (6) E4 and this latest version screwed up again.
  Does anyone know if there is a Radius authentication bug in this latest version 7.0 (7) E4?
  Thank you
  Si

  There is a known issue CSCty46104. However a show-tech log can give more details as to why there was a failure in your case.
  Regards
  Sawan Gupta

• SSM-10 on ASA

  Hi,
  Would appreciate if any gurus can help me with basic document/writeups stating how IPS SSM-10 works on an ASA and  rules/configuration requirements for this.
  Thank You!

  Also https://supportforums.cisco.com/docs/DOC-5668#Configuring_the_ASA_for_the_CSCSSM_ will show you how to divert traffic to the SSM.
  The only thing that changes is the "csc fail-open" becomes "ips inline fail-open"
  I hope it helps.
  PK

• AIM-SSM interfaces and ASA 5510

  All, can anyone explain if and how routing works between the ASA and the IPS card?
  1)Is the single NIC in the IPS card for management purposes only?
  2)Is the IP address configured in the card's setup process for this one NIC?
  3) need there be any routing between e.g. the ASA management or any other interface and the card management interface or can they reside on completely separated networks?
  Thanks
  Jonathan

  The IPS card has 3 interfaces.
  The management interface is external interface that you plug a network cable in to. The IP address is configured by the user during setup.
  The sniffing interface is the internal interface on the ASA data backplane. No IP address is ever assigned to this interface.
  The control plane interface is an internal interface on the ASA control plane so that the ASA can communicate internally to the SSM (the session command runs through this interface). The control plane IP address is controlled by the ASA and not user configurable,
  The management interface is for management only.
  The IP Address configured during setup is only for this management interface.
  As for routing between the ASA and the SSM, this is completely up to the user.
  All communication from the ASA to the SSM is done internally through the control plane interface and so the ASA itself does not need to know how to communicate to the SSM management IP.
  The SSM, however, does need to communicate from it's management IP to one of the ASA interfaces in order to do Blocking/Shunning on the ASA. Blocking/Shunning is not done through the control plane.
  When using IDM or ASDM for configuration the java applet web browses to the SSM management IP so the machine running IDM or ASDM must either be on the local network of the management port of the SSM, or be routable to the network.
  Some scenarios:
  1) Only one machine (IDS MC/Sec Mon) communicating with the SSM. In this scenario you could take a crossover cable and directly connect the one machine to the SSM.
  The SSM can then communicate only to that one machine.
  2) A secure network for managing the security devices that is NOT routable to/from other networks.
  In this scenario the management box, the management port of the SSM, and the management port of the ASA would all be placed on this one network.
  The SSM would only be able to communicat with the management box, and the ASA management port.
  The ASA management port is configured as a management-only port so the ASA will not route in/out of the management network.
  SO only the management box on that local network can communicate with the SSM, and no remote boxes can connect directly to the SSM.
  (NOTE: Blocking/Shunning will work here because the SSM can talk to the ASA)
  3) A secure network that IS routable to/from other networks.
  Similar to option 2 above, but in this scenario the management port of the ASA is configured to NOT be a "management-only" port, and is instead treated like any other port on the firewall. In this setup the management port of the ASA CAN route in/out of the management network.
  NOTE: In most cases the ASA will need to configure a NAT address for the SSM management IP if users intend to connect to the SSM management IP remotely from the Internet (like running ASDM from the company main network over the internet to configure the ASA and the SSM at a remote site)
  4) SSM management IP on one of the normal networks behind the ASA. In this scnario the management port of the SSM would be plugged into a switch or hub where other internal machines are plugged in (like plugging into the DMZ switch/vlan). From the ASA standpoint the SSM management port would be treated just like any other web and ssh server behind the firewall.

• New to IPS SSM 10

  Can i know the link where i can get the guide how to work on IPS SSM 10 (cisco IDM 6.0)

  Configuring the AIP-SSM, IPS CLI Config Guide v6.0
  http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliSSM.html
  Troubleshooting the ASA AIP-SSM
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00808908d5.shtml
  Sending traffic from ASA to AIP-SSM config example
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
  Deploying IPS using the AIP-SSM
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/white_paper_c11-459025_ps6120_Products_White_Paper.html
  Getting started guide ASA v8.0 configuring the AIP-SSM
  http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
  initialize the AIP-SSM
  http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliInit.html#wp1043876
  installing the AIP-SSM system image
  http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliImage.html#wp1032373

• Does IPS SSM affected by the Shellshock bug?

  Anybody knows if the independent IPS appliance is only affected or also the IPS SSM installed on a cisco ASA are vulnerable?
  Thanks

  According to this, yes its vulnerable:
  https://tools.cisco.com/bugsearch/bug/CSCur00552

• IPS modules in Cisco ASA 5510 Active/Standby pair.

  All, I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
  Sent from Cisco Technical Support iPad App

  Ok, that is what I needed to know.  The purpose of us having an active/standby ASA is to keep the business up and going for the very rare times there could be an active ASA failure.  The purpose for the IPS would be to help protect and inspect traffic and is not necessary to keep the business running.  If we implement IPS I am not worried at all if during the times when the primary ASA is down (hasn't been down for over three years now) we lose the IPS funcationality.  This is not worth the $1000 extra per year to us.
  Thanks for the responses though.  That answers my questions.

• Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

  Hi,
  I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

  No, both units need the same hardware, that includes the installed modules.
  Sent from Cisco Technical Support iPad App

• Lost objectives, initiatives and milestones in SSM

  I have lost the objectives, initiatives and milestones after delete the application group.
  We have created a demo enviroment for a client demo.
  Created the context, application groups, perspectives, objectives, initiatives and milestones in SSM Administrator's user interface.
  Initiatives are created with the correspondings applications groups.
  We realized that the applications groups weren't linked with any the SAP Netweaver UME system group. Then we deleted the applications groups in SSM Administrator's user interface in order to create them correctly.
  After that we see that the objectives, initiatives and milestones don't appear in the SSM > Initiatives tab. The strange thing is that we can see objectives and initiatives when clicking on the goal diagram.
  We think that after deleting the application group the values where deleted from the initiatives, milestones, etc.
  How can we recover initiatives, milestones, etc?

  Thank you for your answer Bob.
  I would like to update the information posted. I only lost initiatives and milestones (not objectives) after delete an application group.
  I understand when you say if you delete an application group you loose initiatives asociated to. It was what happened to me. But the strange thing is that although the initiatives aren't in the Initiatives tab I am still seeing them when I clicking on the goal diagram.
  If I click on the initiative link on the goal diagram a error message appears: "Cannot display linked inititative contact your System administrator. Initiative may have been deleted, or you may not have permission to view it".
  Do you know how it is possible to view the "old initiatives" in the goal diagram if they were deleted? Are the initiaves still saved in the server?
  Regards,
  Santiago

• Custom IPS sigs on NGFW (ASA-CX) IPS solution?

  Hi folks,
  I am trying to determine if it is possible to create custom IPS sigs on the ASA-CX module?  Not the ASA + Legacy IPS combo, but the ASA + ASA-CX (Application Detection, Web Filtering, IPS) combo.
  I couldn't find anything in the docs that said this was possible.
  Thanks!
  Neil

  Thank you for your response.  However my question was targeted towards Intrusion Prevention signatures such as the ones found on the traditional IPS units.  I would want the ability to use the various IPS engines such as Atomic IP, HTTP, etc and create sigs that match on things inside the packet, URL string, etc.
  Thanks!

• IPS SSM 20 software upgrade

  Hi ,
            What is the latest version in IPS ssm 20 software,? and what is the procedure to upgrade that??
  Regards
  Mambo

  Have you ever searched for and downloaded a router software update?
  If you have,it works just like that.
  The latest version of software is IPS-SSM_20-K9-7.1-8-E4.pkg
  If you have a vaild license you'll also want to apply the latest signature pack (as of today it is)
  IPS-sig-S754-req-E4.pkg
  If you have a CCO account you can find them both here:
  http://software.cisco.com/download/type.html?mdfid=280432811&flowid=29561
  - Bob

• Cisco ips ssm -- with cisco IME -- logs

  Hi, can any one tell me how do i pull the logs from SSM mo
  dule to the cisco IME server for log analysis.
  i know that syslog is not supported in SSM and the only option is to have IME server...
  -Rajesh

  You will need to add the IPS-SSM module to your IME, and it will automatically pull logs from the module once it has been added to your IME.

• Syslog support for IPS SSM 10

  Hi,
  I am new to IPS SSM 10. i've few questions:
  1.Do we have any kind of syslogs logs for IPS SSM 10? basically i want to know what kind of attacks, intrusion & DoS has happened.
  2.Can we update the Signature automatically thru Cisco site?

  The AIP-SSM does not support syslog as an alert format.
  The default method to receive alert information from the AIP-SSM is through Security Device Event Exchange (SDEE). Another option is to configure individual signatures in order to generate a SNMP trap as an action to take when they are triggered.