SSM-10 on ASA

Similar Messages

• Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

  Hi,
  I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

  No, both units need the same hardware, that includes the installed modules.
  Sent from Cisco Technical Support iPad App

• Initial hookup of IPS-SSM in an ASA to a switch

                     I have an ASA-5520 with a IPS-SSM-40. I configured the IPS control port to an ip address on the ASA's inside network subnet and connected it to the same switch as the ASA's inside port is connected to. I am using a single context. What vlan should the switch port be on that connects to the IPS?
  I can SSH to the ASA and go to session 1 and see the config. But I cannot connect thru the ASDM.
  ASA 5500 Series Security Services Module-40
  Model:              ASA-SSM-40
  Hardware version:   1.0
  Serial Number:      JAF1545CBNM
  Firmware version:   1.0(14)5
  Software version:   6.0(6)E4
  MAC Address Range:  44d3.ca0f.0413 to 44d3.ca0f.0413
  App. name:          IPS
  App. Status:        Up
  App. Status Desc:
  App. version:       6.0(6)E4
  Data plane Status:  Up
  Status:             Up
  Mgmt IP addr:       192.168.0.12
  Mgmt web ports:     443
  Mgmt TLS enabled:   true MAC Address Range:  44d3.ca0f.0413 to 44d3.ca0f.0413
  App. name:          IPS
  App. Status:        Up
  App. Status Desc:
  App. version:       6.0(6)E4
  Data plane Status:  Up
  Status:             Up
  Mgmt IP addr:       192.168.0.12
  Mgmt web ports:     443
  Mgmt TLS enabled:   true

  The config that you have earlier should already allow access to the IPS via AnyConnect. Pls remove the config that you have just added as it sounds incorrect.
  Can you ping the IPS from the AnyConnect client?
  I assume that you can ping 192.168.0.31 and 192.168.0.4 when you are connected via AnyConnect, right?
  If you can, then you should be able to ping 192.168.0.12 as well. I also assume that the port on the module is connected to the same switch where the ASA inside interface is connected.
  Can you install a TFTP server on a host on your inside network, and transfer the image to the IPS module via an inside host. I assume you can RDP to an inside host once you are connected via AnyConnect.

• Upgrading from SSM-10 to ASA 5525x

  We are upgrading from an ASA 5510 with a SSM-10 module to the 5525x ips.  Can we simply copy the config from the SSM-10 to the 5525x?

  Please refer the below document for the details regarding the catalog conversions.
  http://helpx.adobe.com/photoshop-elements/kb/common-catalog-issues-upgrade-elements.html

• AIM-SSM interfaces and ASA 5510

  All, can anyone explain if and how routing works between the ASA and the IPS card?
  1)Is the single NIC in the IPS card for management purposes only?
  2)Is the IP address configured in the card's setup process for this one NIC?
  3) need there be any routing between e.g. the ASA management or any other interface and the card management interface or can they reside on completely separated networks?
  Thanks
  Jonathan

  The IPS card has 3 interfaces.
  The management interface is external interface that you plug a network cable in to. The IP address is configured by the user during setup.
  The sniffing interface is the internal interface on the ASA data backplane. No IP address is ever assigned to this interface.
  The control plane interface is an internal interface on the ASA control plane so that the ASA can communicate internally to the SSM (the session command runs through this interface). The control plane IP address is controlled by the ASA and not user configurable,
  The management interface is for management only.
  The IP Address configured during setup is only for this management interface.
  As for routing between the ASA and the SSM, this is completely up to the user.
  All communication from the ASA to the SSM is done internally through the control plane interface and so the ASA itself does not need to know how to communicate to the SSM management IP.
  The SSM, however, does need to communicate from it's management IP to one of the ASA interfaces in order to do Blocking/Shunning on the ASA. Blocking/Shunning is not done through the control plane.
  When using IDM or ASDM for configuration the java applet web browses to the SSM management IP so the machine running IDM or ASDM must either be on the local network of the management port of the SSM, or be routable to the network.
  Some scenarios:
  1) Only one machine (IDS MC/Sec Mon) communicating with the SSM. In this scenario you could take a crossover cable and directly connect the one machine to the SSM.
  The SSM can then communicate only to that one machine.
  2) A secure network for managing the security devices that is NOT routable to/from other networks.
  In this scenario the management box, the management port of the SSM, and the management port of the ASA would all be placed on this one network.
  The SSM would only be able to communicat with the management box, and the ASA management port.
  The ASA management port is configured as a management-only port so the ASA will not route in/out of the management network.
  SO only the management box on that local network can communicate with the SSM, and no remote boxes can connect directly to the SSM.
  (NOTE: Blocking/Shunning will work here because the SSM can talk to the ASA)
  3) A secure network that IS routable to/from other networks.
  Similar to option 2 above, but in this scenario the management port of the ASA is configured to NOT be a "management-only" port, and is instead treated like any other port on the firewall. In this setup the management port of the ASA CAN route in/out of the management network.
  NOTE: In most cases the ASA will need to configure a NAT address for the SSM management IP if users intend to connect to the SSM management IP remotely from the Internet (like running ASDM from the company main network over the internet to configure the ASA and the SSM at a remote site)
  4) SSM management IP on one of the normal networks behind the ASA. In this scnario the management port of the SSM would be plugged into a switch or hub where other internal machines are plugged in (like plugging into the DMZ switch/vlan). From the ASA standpoint the SSM management port would be treated just like any other web and ssh server behind the firewall.

• Will the AIP-SSM for the ASA stop this?

  I have a client emailed me today that someone did a script injection attack on one of their web servers. It ran a backdoor Trojan virus on their web server. I know the AIP-SSM will stop the Trojan, but will it stop someone from doing the script injection attack. If so, is it documented and can you point me to the document.
  Thanks.
  Dan

  Hi,
  If you know exactly which of the various script injection attacks was used you can simply look it up here:
  http://tools.cisco.com/security/center/home.x
  If you don't know exactly which one then it's slightly harded to know whether it would have been stopped, but searching on "script injection" or similar should narrow down the candidates and give you an idea on whether it would have been stopped or not.
  Remember that an IPS isn't perfect, but it *will* significantly lower your risk if setup and maintained properly.
  HTH
  Andrew.

• Step to prep CSC SSM on ASA Active/Standby mode

  Hi all, 
  I am trying to setup Active/Standby HA mode for my site.
  Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
  My question:
  01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
  Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
  What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
  Thanks
  Noel

  Hello Yong,
  Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
  Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
  IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• Will reloading an ASA-SSM effect the Firewall itself?

  We've lost the login info for the IPS-SSM on our ASA 5520. It looks like we will need to re image the module with a newer software version. It currently is not in use i.e. no rules for it on the the firewall. Will this process take the firewall off line at all?
  Output from sh command:
  Firewall03# show module 1
  Mod Card Type Model Serial No.
  1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 xxxxxxx
  Mod MAC Address Range Hw Version Fw Version Sw Version
  1 001b.0ce2.xxxx to 001b.0ce2.xxxx 1.0 1.0(11)2 5.1(5)E1
  Mod SSM Application Name Status SSM Application Version
  1 IPS Up 5.1(5)E1
  Mod Status Data Plane Status Compatibility
  1 Up Up
  Firewall03# show module 1 recover
  Module 1 recover parameters...
  Boot Recovery Image: No
  Image URL: tftp://0.0.0.0/
  Port IP Address: 0.0.0.0
  Gateway IP Address: 0.0.0.0
  VLAN ID: 0

  So it will have an effect on the firewall, causing it to fail over?
  Also I am having a hard time understanding the recovery process as it seems the device needs to be configured to allow the recovery image to be used. I have no idea how if at all the device is configured, we have zero access to the device as we have none of the passwords for it and no idea how it's configured.
  from looking at the above (1st post) you can there is no recovery location set. How do I recover with no info on the device?
  Firewall03# sh module 1 details
  Getting details from the Service Module, please wait...
  ASA 5500 Series Security Services Module-20
  Model: ASA-SSM-20
  Hardware version: 1.0
  Serial Number: JAF111XXXXX
  Firmware version: 1.0(11)2
  Software version: 5.1(5)E1
  MAC Address Range: 001b.0ce2.XXXX to 001b.0ce2.XXXX
  App. name: IPS
  App. Status: Up
  App. Status Desc:
  App. version: 5.1(5)E1
  Data plane Status: Up
  Status: Up
  Mgmt IP addr: 10.1.9.201
  Mgmt web ports: 443
  Mgmt TLS enabled: true
  Firewall03# sh module 1 recover
  Module 1 recover parameters...
  Boot Recovery Image: No
  Image URL: tftp://0.0.0.0/
  Port IP Address: 0.0.0.0
  Gateway IP Address: 0.0.0.0
  VLAN ID: 0
  Firewall03#

• Cisco IPS 4240 VS Cisco ASA AIP SSM-10 Modula

  I'm looking to replace another vendor's IPS system we have at our company. We do have an ASA 5510 in our envionment currently.
  Considering I don't need the extra bandwidth of the IPS 4240 series and the AIP SSM-10 requires an ASA 5510 what are the differences?

  Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
  The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
  - Bob

• Using ASA5510 AIP-SSM in IDS mode

  Hi,
  I' ve a Cisco ASA5510 with  AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
  without the traffic passing through the Firewall.
  I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit  all the traffic to the  Sensor but it doesn't work, no packet recived on sensor.
  somebody can help me?
  thanks

  Unfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
  The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
  The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
  It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
  - Bob

• SIP stops when upgrading from ASA from 8.4.1 to 8.4(2)8 w/ out config change? Why?

  I have to be missiong something small in my config.
  If I upgrade my ASA 5510 which I am routing and NATing off of, from 8.4.1 to 8.4.2.8, SIP stops. All phones go dead.
  If I roll bck to 8.4.1, SIP comes up.,... Go bck to 8.4(2)8 nd SIP goes down..... 
  This is without mking any config changes.
  I have looked at it so long, I must be overlooking something simple, simple, simple...

  Have spent sIx hours in past 24 w/ Cisco TAC and they have a tin of caps as have I but can't figure out why there is a denial of SIP from inside outside and outside inside to/from sip providers three IP addresses. Have created new access lists, new access groups to allow all 3 ip's in & out, increased timeout, bypassed IPS, have both sip UDP & tcp allowed in/out, specified inspection to approve any any for all sip protocols in/out to/from Lync & mediation and nada.
  To answer another question, yes I'm certain config doesn't change... I reloaded tge same running config from a bkup just to make sure.....
  What I see in the logs coming in/out is the call does make it all the way through the SSM to the ASA..
  What happens there is the head scratcher...
  SiP even though allowed and even though I've specified it to push through inspection On ASA side is denied based on inspection rule...
  I also tried using another one of my (unused) public IPs for only SIP thinking that maulybe there was a core conflict with multiple services NATd to the same public IP but that also did nothing.
  On topology I only have a single location so I'm using my 5510 to route as well...
  Have 1 IIS web server l, SQL, (ports clised except to obe vendor and am allowing via access list by their IP and ipsec,) Exchange, Lync, Ironport, Endpoint and everything else is 80/80...
  Everything is on Server 08r2 w/ exception of web server and two boxes ( one stand-alone & one VM on hyper-v)  I am running Server8 for Microsoft TAP engineering / validation airlift. Neither of those are attached to UC/UM at all...
  I'm using dynect from dyndns for outside network web services and just piggybacking on time Warner metro e for internal (no physical DNS server)
  When I look at caps everything is identical in the tcp and UDP trace even on sip except for the denial...
  Which caps/logs would 'y'all like to see and I'll post em when I get home....
  Is there a link to bug notes Jullio? Is it sip specific? Any possibility of it being just a name/cosmetic big I can force a work around to?
  I recall when Asa first was released I had to specify port 25  allow instead of being able to simply say allow smtp .. That took 2 weeks but it allowed for a work around so whatever I can do/try I'm willing!! Someone may wanna tell TAC if it's a bug because after 6 hours yesterday they are saying there's not a bug... :)
  Thanks all!!!!

• AIP-SSM (Not Applicable)

  Hi Experts,
               We have 2ASA and each one have AIP-SSM,with 2nd ASA AIP-SSM I tried to upload latest image for AIP-SSM 20 but didnt worked and now i see module is dead...pls check the detials below.....pls help me out how to make it up or work properly so that i can config other stuff.Pls its very imp and urgent help me out....
  ASA-A:
  251-DBSi-ASA5540# sh module 1
  Mod Card Type                                    Model              Serial No.
    1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF11370608
  Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
    1 0007.0e11.e13b to 0007.0e11.e13b  1.0          1.0(11)2     5.1(6)E1
  Mod SSM Application Name           Status           SSM Application Version
    1 IPS                            Up               5.1(6)E1
  Mod Status             Data Plane Status     Compatibility
    1 Up                 Up
  ASA-B:
  251-DBSi-ASA5540# sh module 1
  Mod Card Type                                    Model              Serial No.
    1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF1137060C
  Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
  1 001d.4524.a414 to 001d.4524.a414  1.0          1.0(11)2     5.1(6)E1
  Mod SSM Application Name           Status           SSM Application Version
    1 IPS                            Not Applicable   5.1(6)E1
  Mod Status             Data Plane Status     Compatibility
    1 Recover            Not Applicable

  Please try rebooting the module, if it does not work recovery it using the following procedure
  http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/cliimage.html#wpxref68481
  Regards
  Farrukh

• Simple question about CSC-SSM

  Hi,
  I must block a HTTPS website using CSC-SSM on a ASA 5520 but it looks like it won't block HTTPS traffic at all so I've been searching around and I found that "Traffic that moves through HTTPS cannot be scanned for viruses and other threats by the CSC-SSM software.".
  Anyone has sucessfully blocked HTTPS traffic using CSC-SSM?
  Which other blocking methods would you recommend? ASA's URL filtering?
  Thanks in advice.
  Guilherme

  hi Guilherme
  the idea with https it is a secured http with sslor tls which is the same idea with vpn/IPSEC where the traffic is tunnled and cannot be inspected before get devrypted
  which wshould be the same with all vendors
  if u can inspect the https and scan it then it is not secure enough !! right :)
  good luck
  if helpful Rate

• SSM IPS Configuration

  I have a couple of questions regarding the ASA that deal with the SSM module.
  I have read the document "Configuring ASA-SSM" and am confused by the command logic. I realize that you need to specify a service-policy globally that defines the traffic being sent to the SSM module. My concern is that the configuration document lists as one of it's steps to define an ACL for the IPS traffic and then apply it to an interface before configuring the class map, policy map, and service-policy. Why would this ACL need to be applied to an interface when it is being used for defining IPS traffic? Shouldn't the ASA send whatever traffic is defined globally in the service-policy to the SSM without attaching the ACL to an interface?
  Also, on the ASA factory default configuration there is a service-policy defined as:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  service-policy global_policy global
  But, if I define a global service-policy for the SSM I would lose this default service-policy as only one global service policy is allowed. Is the default service-policy providing the fixup protocol services as in the PIX that I am used to seeing? If so do I lose this functionality by applying a global service-policy for IPS/
  Sorry for the length of the post and thanks for your help in advance.

  The configuration in the IPS User's Guide is just one method for settings up the ASA to send packets to the SSM.
  It is an extremely basic configuration on the ASA where all the ASA is doing is copying packets to the SSM and the ASA is not doing any of it's firewall functionality.
  This configuration is only practical if the ASA was purchased and used only for housing the SSM and sending it traffic ( a rare deployment in the field ).
  If your ASA is already configured for firewall functionality then the only additional command(s) that need to be added to your config are:
  ips inline|promiscuous fail-open|fail-close
  Take your existing policy-map and for every class in that policy you will need to decide if the traffic should be monitored promiscuously, inline, or not monitored by the SSM.
  In your example, if you wanted to monitor all of the traffic inline on the SSM and want to continue passing traffic if the SSM fails. Then simply add the line "ips inline fail-open" within the existing "class inspection_default".
  NOTE: If you change the policy you need to understand that the new policy will only affect new connections and not existing connections.
  The only reason you would have to create additional acls and class maps using the acls would be if you did not want all of the traffic monitored inline by the SSM.
  If you want different traffic monitored promiscuous and other inline (or not monitored), then you need to include additional classes in your policy-map so that a different ips configuration line can be added for each class.

• SSM-20 Can not upgrade software on the sensor

  Hi,
  I am trying to upgrade a sensor on IPS-SSM-20 and have "errInUse-An Upgrade is already in progroess" error.
  Can I do anything to fix that or my only way out is to reboot a module ?
  P.S. Two modules are  instaled on ASA-5520 - HA pair with multiple context.
  Thanks,
  Vlad

  Hello,
  I don't have option "debug module". Only debug option is to " debug module-boot"
  This is SSM-20 on ASA 5520.
  I forgot to mention that whole problem started when I acidentaly tried to upgrade sensor on a diferent module with a sign. version that already exist on the sensor. Erros was like"can not upgrade because version already exist on the sensor"
  After that I was not able to "kill" that process.
  Thanks,
  Vladimir