Licese Expire on ASA Platform:ASA-SSM-20

Similar Messages

• What is the current status for Kerberos Constrained delegation feature on the ASA platform?

  What is the current status for Kerberos Constrained delegation feature on the ASA platform?

  Hi Oscar,
  This is not available yet in the current software. Now, we cannot give any official information on this forum about software that has not been released yet, but if you really want to know I would suggest that you contact your local Cisco sales office to confirm with your account team which new features will be in the upcoming ASA 8.4 software release.
  hth
  Herbert

• ASA Trend Micro SSM Application is down!

  Hi,
  i have a big problem with the ASA Trend Micro module. The SSM Application is down, after module restart it is up again but not for long.
  How can i solve this problem?

  Sorry but i don't understand what you want to say. How can that solve my problem.
  The CSC-SSM module shuts down always after 60min, then i have to start it again with this command "hw-module module 1 reset". License is ok, it expires in 2008. First i thought its because of overload, but after work time it shut after 60 min too.
  Thanks in advance.

• ASA Platform: Nesting Access List

  Is there a way to nest multiple access list within ASA? [in other words - can access-list be grouped on interfaces?] if so, how many per interfaces?
  -if link is available - pls provide.
  thx

  i would appreciate if someone could provide feedback or guidance to a URL for additional reading to nest access list.

• ASA IPS/ASA-SSM-10 Password Lost

  Hi.
  I just started administering a ASA with IPS module, but password is lost. I have tried default but cannot.
  If I try to tftp using management it even is on but Switch does not see it up and cannot administer from there.
  How can I recover password from IPS module?

  Ernesto
  I found this in the configuration manual for the IPS:
  The following password recovery options exist:
  ?If another Administrator account exists, the other Administrator can change the password.
  ?If a Service account exists, you can log in to the service account and switch to user root using the command su - root. Use the password command to change the CLI Administrator account's password. For example, if the Administrator username is "adminu," the command is password adminu. You are prompted to enter the new password twice. For more information, see Creating the Service Account.
  You can reimage the sensor using either the recovery partition or a system image file.
  If you want to see more detail here is the URL:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055dfcd.html
  HTH
  Rick

• ASA 5505 + ASA 5540 static VPN, ssh and rdp problems

  Greetings!
  I've recentely set up a VPN between Cisco ASA 5540(8.4) ana 5505(8.3).
  Everything works fine, but there is a small problem that is really annoying me.
  From the inside network behind ASA 5505 I connect via rdp or ssh to a host inside ASA 5540.
  Then I minimize ssh and rdp windows and don't use it for ten minutes. But I still use VPN for downloading some files.
  Then I open ssh window - the session is inactive, open rdp window - I see a black screen (for 10-15 seconds, and then it shows RDP)
  There are no timeouts on ssh or rdp hosts configured, via GRE tunnel it works perfectly without any hangs.
  What can I do to get rid of this problem?
  Thanks in advance.

  Dear Fedor,
  You could try adding the following commands to your configuration (on both ASAs) in order to increase the timeout values of the specific TCP sessions:
  access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 22
  access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 3389
  class-map TCP_TIMEOUT
        match access-list rdp_ssh
  policy-map global_policy
       class TCP_TIMEOUT
            set connection timeout idle 0:30:00
            set connection timeout half 0:30:00
  * Please make sure you define the specific RDP and SSH ports in the ACL and avoid the use of "permit ip any any".
  Let me know.
  Portu.
  Please rate any post you find useful.

• Cisco ASA 5520 (asa 8.2) hairpinning

  Hi All,
  We have a ASA 5520 (redundant) in our network which we are using for different customers. For every new customer we create a new VLAN and place their servers in this VLAN. On the ASA we create a new subinterface for every customer which is connected to the corresponding VLAN.
  Most customers get a private ip-range (e.g. 192.168.x.x/24) on which they should configure their servers. Because most customers don't need to be to access eachothers server all VLAN interfaces have the same security-level of 50. I haven't enable the "same-security-traffic permit inter-interface" option, so traffic between those interfaces is blocked, as expected.
  Some customers (e.g. customer A) need public webmail of smtp access to there servers. So we use both NAT and PAT to make that happen.
  So, recently we've got a customer (customer B) who placed their webservers behind our ASA. Because we didn't want to use NAT statements all the time, we dediced to configure a public /29 subnet on their VLAN. Because the website on this customer's servers need to be visible for everybody, we've lowered the security-level of this VLAN interface to 40 (instead of 50) and applied some ACL's. So other customers (e.g. customer A) are also able to reach the websites of customer B. So everything is just working fine.
  Now, customer A decided that they want to run their website on their own servers as well. So, I created a static PAT for TCP 80. So the website is accessible from the outside world. But.....customer B is not able to reach customer A's website on the translated address. So, I've created a second PAT (using the same public address) but this time to customer B's interface. But still, we're not able to reach customer A's website.
  I've also enabled the "same-security-traffic permit intra-interface", but still the website is unreachable to customer B.
  Here's a small drawing of the situation:
  The ip-addresses are, of course, not real.
  Can anybody place help me with this issue?

  That's a very cool command that I didn't know about.
  I see that the packet is drop at phase 7 (NAT-EXEMPT).
  Phase: 7
  Type: NAT-EXEMPT
  Subtype: rpf-check
  Result: DROP
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x74455b60, priority=6, domain=nat-exempt-reverse, deny=false
          hits=61, user_data=0x744558f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip=Cust_B_LAN, mask=255.255.255.240, port=0
          dst ip=Cust_A_LAN, mask=255.255.255.0, port=0, dscp=0x0
  Result:
  input-interface: Cust_B
  input-status: up
  input-line-status: up
  output-interface: Cust_A
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  I seemed that I had a nonat rule messing the communication between these interfaces. After removing it, the traffic was flowing just fine.
  Thanks for your support.
  Ron

• Difference in ASA module, ASA 5510

  Folks,
  I am trying to get some comparison good data on the Cisco ASA(5585 probably) module and the Cisco 5510 physical device.
  We are looking to create contexts and most of these contexts are dynamic in nature.
  What could be the advantages and disadvantages of using one and the other.
  I know the ASA 5510 supports virtual contexts but not sure how much are supported by the base license and how much could be added.
  Futher the communication between the Switch and the ASA module goes via the backplane and in case of physical device will go over the LAN cable(mostly a 1Gig). Will this be slower?
  Regards,
  Nikhil.

  Hi,
  Check if the below datasheet helps..
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
  hth
  MS

• Peformance Difference between ASA-5512x & ASA-5515x

  Good Day,
  I have been asked to evaluate performance differences between 2 models of Cisco NG Firewall.
  Specifically the 5512x & 5515x.
  I have been doing some research,, but want some real world opinions.
  http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/models-comparison.html
  The organization requesting a report has a 50 user network,, They will never hit the hardware maximums.
  I am wondering from a performance & feature perspective if there is any difference,, <if we do not expect to come close to the VPN client or simutaneous connections or thru-put etc>
  The 5512 is a less expensive piece of hardware. Are there reasons to consider the 5515x that I have not considered ?
  Thank you in advance.

  If you ever anticipate using them in an HA pair (or run in multiple context mode) you'd need to add the Security Plus license onto the 5512-X.
  Adding that license makes it almost the same price as the 5515-X (which does not require the separate license).

• How to do a factory reset ASA-SSM-10?

  Hi.
  I forgot the user for management a IPS SSM-10, when i follow the procedure to reset the password for cisco user, i can get into the module, i change the password and every thing is OK, but when i tried to configure y don´t have rights to do anything.
  if i see the privileges for the user cisco this is the result
  EDGE-IPS2# sh user
      CLI ID   User    Privilege
  *   4143     cisco   viewer
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.1(1)E2
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S364.0                   2008-10-24
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          JAF1208BNPP
  License expired:        20-Jun-2009 UTC
  Sensor up-time is 1:09.
  Using 657850368 out of 1032495104 bytes of available memory (63% usage)
  system is using 17.7M out of 29.0M bytes of available disk space (61% usage)
  application-data is using 41.5M out of 166.8M bytes of available disk space (26% usage)
  boot is using 40.5M out of 68.6M bytes of available disk space (62% usage)
  MainApp          M-2008_APR_24_19_16    (Release)   2008-04-24T19:49:05-0500   Running
  AnalysisEngine   ME-2008_JUN_05_18_26   (Release)   2008-06-05T18:55:02-0500   Running
  CLI              M-2008_APR_24_19_16    (Release)   2008-04-24T19:49:05-0500
  Upgrade History:
  * IPS-K9-6.1-1-E2           22:40:50 UTC Tue Feb 26 2013
    IPS-sig-S364-req-E2.pkg   18:43:20 UTC Wed Nov 12 2008
  Recovery Partition Version 1.1 - 6.1(1)E2
  Host Certificate Valid from: 17-Nov-2008 to 18-Nov-2010
  What can i do in this case?
  IPS Info
  Getting details from the Service Module, please wait...
  ASA 5500 Series Security Services Module-10
  Model:              ASA-SSM-10
  Hardware version:   1.0
  Serial Number:      JAF1208BNPP
  Firmware version:   1.0(11)4
  Software version:   6.1(1)E2
  MAC Address Range:  001e.f710.5b6c to 001e.f710.5b6c
  App. name:          IPS
  App. Status:        Up
  App. Status Desc:
  App. version:       6.1(1)E2
  Data plane Status:  Up
  Status:             Up
  Mgmt IP addr:       X.X.X.X
  Mgmt web ports:     443
  Mgmt TLS enabled:  

  The process will normally use the following command:
  hw-module module 1 password-reset
  It will reload the ASA and when loggin back the "Cisco" username will have admin rights.
  If this is not your case, a re-image of the unit will be the next step, keep in mind that this will remove all the custom config.

• ASA 5585-X pim-ssm support

  Hi
  ?if there is a way to configure pim-ssm on asa 5585x-ssm20
  thanks

  Unfortunately PIM-SSM is not supported on any of the ASA platform.

• Configure ASA-SSM-10 for Syslog

  How to configure syslog on the following IPS module ?
  I need to send logs from this sensor
  Platform: ASA-SSM-10
  Build Version: 7.0(4)E4
  Os Version: 2.4.30-IDS-smp-bigphys
  Can anybody advise me on this.
  Regards,
  Rohit

  Do you need the syslogs to be sent or the Events.
  IPS sensors do not support syslog forwarding.  Syslog is fairly
  restrictive in size of messages and is not secure or reliable.
  sensor does support sending of events using SNMP
  (again with the same sets of restrictions:  not full data, clear text,
  not reliable).
  There is a physical ability to send events as traps.  It isn't
  recommended for many reasons (or lets say it isn't recommended in the
  same way that monitoring using SDEE is).  SNMP trap receivers generally
  aren't built to handle, say 200 events per second per device.  The
  sensor isn't capable of sending at the same event rate as it is with
  SDEE.  The traps are in clear text and are not reliably sent.  They
  don't contain the same amount of info as an SDEE event, and can't.
  If you need the events to  be sent to a database you can run cisco IME which can collect all the events generated by the IPS.
  Hope this helps.
  Sachin

• Image recovery on 5520 IDS Module (ASA-SSM-10) TFTP timeout failure

  I have an ASA 5520 with an ASA-SSM-10 module in it for IDS.  It has (from what I can tell) never been used or configured.  In fact, I only recently found that it existed!  I would like to begin using it, starting with replacing the software image with the latest (I do NOT need any configuration from it now).
  Details ...
  KCH-ASA-Primary# sh module 1 details
  Getting details from the Service Module, please wait...
  ASA 5500 Series Security Services Module-10
  Model:              ASA-SSM-10
  Hardware version:   1.0
  Serial Number:      JAF10422581
  Firmware version:   1.0(11)2
  Software version:   6.0(1)E1
  MAC Address Range:  0018.b91b.69f1 to 0018.b91b.69f1
  App. name:          IPS
  App. Status:        Up
  App. Status Desc:
  App. version:       6.0(1)E1
  Data plane Status:  Up
  Status:             Up
  Mgmt IP addr:       172.17.1.20
  Mgmt web ports:     443
  Mgmt TLS enabled:   true
  The problem that I am having is that when I set it up to pull down the new software through TFTP, it just hangs and times out.
  KCH-ASA-Primary# hw module 1 recover config
  Image URL [tftp://10.10.10.9/IPS-sig-S789-req-E4.pkg]:
  Port IP Address [172.17.1.20]:
  VLAN ID [950]:
  Gateway IP Address [172.17.1.1]:
  KCH-ASA-Primary#
  And then ...
  KCH-ASA-Primary# debug module-boot
  debug module-boot  enabled at level 1
  KCH-ASA-Primary# hw module 1 recover boot
  The module in slot 1 will be recovered.  This may
  erase all configuration and all data on that device and
  attempt to download a new image for it.
  Recover module in slot 1? [confirm]
  Recover issued for module in slot 1
  KCH-ASA-Primary# Slot-1 215> Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan                             26 10:43:08 PST 2006
  Slot-1 216> Platform ASA-SSM-10
  Slot-1 217> GigabitEthernet0/0
  Slot-1 218> Link is UP
  Slot-1 219> MAC Address: 0018.b91b.69f1
  Slot-1 220> ROMMON Variable Settings:
  Slot-1 221>   ADDRESS=172.17.1.20
  Slot-1 222>   SERVER=10.10.10.9
  Slot-1 223>   GATEWAY=172.17.1.1
  Slot-1 224>   PORT=GigabitEthernet0/0
  Slot-1 225>   VLAN=950
  Slot-1 226>   IMAGE=IPS-sig-S789-req-E4.pkg
  Slot-1 227>   CONFIG=
  Slot-1 228>   LINKTIMEOUT=20
  Slot-1 229>   PKTTIMEOUT=4
  Slot-1 230>   RETRY=20
  Slot-1 231> tftp [email protected] via 172.17.1.1
  KCH-ASA-Primary# Slot-1 232> TFTP failure: Packet verify failed after 20 retries
  Slot-1 233> Rebooting due to Autoboot error ...
  Slot-1 234> Rebooting....
  I know that I can reach 10.10.10.9 from 172.17.1.x.  And this is the present port IP of the device.  If I do a 'session1' and ping 10.10.10.9, I get replies.  I know my TFTP is working ... I use it for all of my switches for config backups and installing new IOS.  And watching my TFTP server window, I am not seeing any connection attempts.
  What am I doing wrong here?  :-(

  Thanks for your response. As I mentioned earlier in my email, I tried 2 different images (IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img and IPS-SSM_10-K9-sys-1.1-a-7.1-5-E4.img) without any success. Since there are no packets coming from IPS on the TFTP server, I think the problem is something else.
  When I run the "debug cplane 255" command, I see some errors mentioned below:
  asa(config)# debug cplane 255
  debug cplane  enabled at level 255
  asa(config)#
  cp_connect: Connecting to card 1, socket 3, port 7000
  cp_connect: Error - cp_connect() returned -1
  cp_check_connection: handle -1, conflicts with connection 1 (-1)
  cp_check_connection: handle -1, conflicts with connection 2 (-1)
  cp_check_connection: handle -1, conflicts with connection 3 (-1)
  cp_update_connection: Error updating connection_id 0
  Is this a hardware issue?

• Best practices for using Normalizer in ASA and in AIP-SSM

  Both PIX OS 7.x and IPS 5.x software have a concept of "traffic normalization". PIX OS on ASA can do virtual reassembly, IPS on SSM (so far as I know) can do physical reassembly and fragmentation of IP packets. Also, both ASA and SSM can do TCP normalization. For example, they both can "check inconsistent retransmissions" and protect against "TTL evasion attacks". I realize that PIX OS has only basic normalization functions and the SSM is much more configurable.
  The question is: what are the best practices here? Is it better to disable some IP/TCP PIX OS checks / IPS signatures on ASA and/or SSM? Is it better to use just SSM for traffic normalization? Does anybody has personal experience here?
  Also, there is a BugID CSCsd04327 - "ASA all out of order packets are dropped when sending to ssm"
  "When ips ssm is inline slowness is reported. show service-policy shows that the number of out of order packets reported match exactly the number of no buffer drops (even with queue-limit option). Performance hit is not the result of tcp normalization (on IPS 5.x ssm) in this case, but rather an issue with asa normalizer."
  To me it seems to be more logical to have normalization function on the firewall, but there may be drawbacks in doing this.
  So, those who're using ASA with SSM, please share your experience.
  Thx.

  Yes, this is almost correct ;)
  TCP SRP (Stream Reassemly Processor) is turned OFF on the SSM and cannot be enabled, contrary to 4200 appliances, but IP FRP (Fragmentation Reassembly Processor) is functioning on the SSM.
  The testing of 7.2(1) shows the following:
  When you configure "policy-map" to send packets to the SSM the "tcp-map" parameter "queue-limit", which has the value of zero by default, is set to an X (the X is unknown). This means that the ASA now only accepts the TCP segments which are sent in the correct order. More specifically, the gaps in SEQs are not allowed anymore. When for example, the ASA receives a TCP segment which has a SEQ within the window, but the previous TCP segment has been lost, it sends an ACK to the sender to enforce retransmition of the lost segment. As a result the sender retransmits both segments. Only after that the ASA forwards both segments to the SSM. This basically means that SSM always sees in-order TCP segments. That it is why SRP is not needed on the SSM.
  There are at least two problems however.
  The first problem is the performance impact.
  ASA now acts almost like a proxy. And, so far as I know, it doesn't support SACK (Selective ACKs). First, when the ASA does TCP SEQ randomization it doesn't change SEQ values within the SACK TCP Option. This simply breakes SACK. Second, even if you turn randomization mechanism OFF, then, I believe, the ASA will not selectively ACK the lost TCP segments, as it simply doesn't support this mechanism.
  The second problem is THE SECURITY HOLE.
  By default the ASA doesn't check TCP checksums. The 4200 appliances do check by default. But as we now know the SRP is turned OFF on the SSM... So, this means that SSM module can easily be evaded. The hacker only needs to mix attacking traffic with the random TCP segments that have bad TCP checksum. The SSM module will see the mixture of the two and will not recognize the attack. The target host will drop TCP segments with the bad checksums and see only attacking traffic... This has been successfully verified in the lab.
  Of course, this security hole can be closed with the "tcp-map" parameter "checksum-verification", but it will definitely has performance impact.
  The last note: All of the above has never been documented by Cisco. So, use at your own risk, etc.
  I hope, you will read this message, Marcoa. All of this MUST be documented. Once again, the default behaviour of the ASA opens up a big security hole.
  Regards,
  Oleg Tipisov,
  REDCENTER,
  Moscow

• Configuring ASA and SSM

  Hi
  I am new to cisco box. i have a ASA 5510 with ssm module. i would like to insert this device between the users lan and the server farm. the intension is to block the non legitimate traffic. and need to use the IPS module to detect possible attacks from the users side.
  Kindly
  guide me through the steps to do the basic configurations for enabling the ssm and the other communication.
  Many thanks and regards,
  Rajeev

  The CSC SSM maintains a file containing signature profiles of suspicious content, updated regularly from an update server at Trend Micro. The CSC SSM scans traffic it receives from the adaptive security appliance and compares it to the content profiles it obtains from Trend Micro. It then forwards legitimate content on to the adaptive security appliance for routing, or blocks and reports content that is suspicious.
  http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/cscssm.html#wp1031646
  http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_ssm.html