SSM IPS Configuration

Similar Messages

• ASA SSM IPS module upgrade won't work

  Hello all,
  I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
  I followed these steps provided by Cisco.com:
  1. Log in to the ASA.
  2. Enter enable mode:
  asa# enable
  3. Configure the recovery settings for ASA-SSM:
  asa (enable)# hw-module module 1 recover configure
  NOTE: If you make an error in the recovery configuration, use the
  hw-module module 1 recover stop command to stop the system reimaging
  and then you can correct the configuration.
  4. Specify the TFTP URL for the system image:
  Image URL [tftp://0.0.0.0/]:
  Example:
  Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
  5. Specify the command and control interface of ASA-SSM:
  Port IP Address [0.0.0.0]:
  Example:
  Port IP Address [0.0.0.0]: 11.21.31.41
  6. Leave the VLAN ID at 0.
  VLAN ID [0]:
  7. Specify the default gateway of the ASA-SSM:
  Gateway IP Address [0.0.0.0]:
  Example:
  Gateway IP Address [0.0.0.0]: 11.22.33.44
  8. Execute the recovery:
  asa# hw-module module 1 recover boot
  9. Periodically check the recovery until it is complete.
  NOTE: The status reads "Recovery" during recovery and reads "Up" when
  reimaging is complete.
  AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
  I opened a Ciscop TAC on this and not receiving alot of help...
  Please help!!!:)
  Thanks
  Chris Serafin
  [email protected]

  The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
  How long have you left the SSM in the "recovery" state?
  There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
  Execute "debug module-boot" on the console of the ASA.
  The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
  If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
  Some typical problems I have seen:
  1) Wrong IP given for the sensor.
  2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
  3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
  4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
  5) The file name is wrong. Check the captialization especially.
  6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
  tftp://10.20.30.40/subdirectoryname/filename
  7) The tftp is timing out.
  There are 2 things that can cause this:
  a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
  b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
  If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
  It will stop the reboot cycle from happening.
  Let the module come up with the old image.
  Then correct your "recover configure" settings, and try the "recover boot" again.
  Another alternative:
  Stop the recovery "recover stop"
  Let it boot into the old image.
  If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
  The "recover" from the ASA will wipe the box clean and load a fresh image.
  The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
  5.1 upgrade file:
  IPS-K9-min-5.1-1g.pkg
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
  The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
  For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM).

• CISCO 2851 with IPS configuration

  Hi guys,i'm planning to do an IOS IPS configuration on a newly purchased 2851 router, the spec as below:
  CISCO2851-HSEC/K9
  CISCO 2800 AdvanceIPservice :Version 12.4(15)T10
  64MB CF default
  512DDR DRAM
  My problem right now is,when i tried to configure the IPS feature,the SDM Express ver2.5 doesn't have the IPS tabs that allow me to configure. I noticed and highly suspected that is due to the express version of SDM,instead of the full/enhanced version of SDM. I tried download the full version SDM from Cisco,the file size is 14MB, and my current CF free space is only remaining 7MB.The IOS itself has used up 51MB. So i'm going to advice my customer that running IPS on the router is not possible due to the limited CF size. Can someone who experience in IPS correct me if i'm wrong. I'm fresh in security area.
  PS:i know workaround is to installed CSM on a workstation then to configure and manage this router.
  Thanks

  Hi Collin,
  Thank for your adviced.I did read thru the configuration that you posted. One line which i'm not clear about is that:
  "copy flash:/IOS-S302-CLI.pkg idconf"
  Where is this idconf?Is a flash folder or somewhere?why do we need to copy the signature file to this idconf? Or,my guess,is this idconf referred to "flash:/ips"?
  regards,

• IPS configuration promiscus mode(fail-open) assistance/troubleshooting

  Hi all ,
  I have 2 ASA configured in active/standby failover mode. I want to configure IPS in promiscus mode with fail-open configuration.
  i have not connected IPS with any pc through magmt port.
  I can access IPS through ASA(5520) using session 1 and able to do basic configuration using setup.
  after configuring when i try to login through ASA ASDM(IPS tab on home page of ASA ASDM) it ask for ip(managment or other ip).. I am trying to access the IPS with ip(192.168.3.74) configured in IPS using initial setup (192.168.3.74/27, 192.168.3.65) and also added access-list allowing 192.168.3.0/24.
  ASA inside ip subnet:192.168.3.64/27
  ASA DMZ ip subnet: 192.168.1.0/24
  let me know if i need to assign IPS ip from dmz range or inside range?
  Do i need to setup same IP for IPS in both ASA module?
  Let me know if i can connect to IPS from ASA ASDM using some ip(192.168.3.74) configured through setup on 443 port.?
  What access-list i should add in IPS or ASA if required?
  While setting up IPS 1st time using setup command i am not able to see the unused/monitored interface(g0/1) so that i could add both interface, which should show as per cisco doc. what may be the reason?
  IPS 6.0
  ASA(5520) 7.24
  ASDM 5.24
  Regards
  Amardeep

  You need to configure the interface properly and plug it in the network.
  The second interface is displayed different in the AIP-SSM, as  this is a logal/internal connection to the ASA.
  Regards
  Farrukh

• Active-Standby SSM-IPS upgrade question

  I have 2 ASA 5510's with ASA-SSM-10 IPS modules. The IPS's were running version 5.0.2, and I noticed this will not be supported for SIGS so I started to upgrade to version 5.1.1g. I got one unit upgraded and it seems to be fine, but the second still says it is running 5.0.2 and it will not let me login to it via CLI. When I for a failover the IPS always seems to be with the upgraded unit, so I can never get to my other IPS to upgrade it.
  What did I do wrong?
  Thanks,
  Dan

  When you say it will not let you login via CLI, what method of connection are you attempting? Are you telneting directly to the management IP of the second SSM, or sshing directly to the management IP of the second SSM, or sessioning through the console of the second ASA into the second SSM?
  What if any errors are you seeing when trying to login?
  When you say that you failover the IPS you can't get to the other IPS, to what are you referring?
  The SSMs don't failover to each other. They do not share configuration, and should not share IP Addresses for their management IP. If you have configured the same IP for both SSMs, then you have a bad configuration. Each SSM needs their own independant IP Address. The SSMs should be managed as independant sensors.

• Correlating Cisco ASA-SSM-IPS Events/Logs

  I have just configured a Cisco ASA-SSM-IPS10. An exciting feature of this decice is the ability to monitor, analyse, and correlate security events. Can anybody help with a documentation to simplify daily (or periodic) analysis, and correlation of the IPS Logs? As I am not yet to up to speed with this task yet, a "How-to" document would be just fine.  Thank you.

  Hi Chris,
  Good to have you get on the case. I am yet to setup and ips manager software. Presently, I use an ASDM 6 interface, with this interface, I am able to view events and alerts, and perform other adminsitrative cores... The IPS manager express does it comes bundle with our device purchase? Does it contain necesary templates/docs for correlating events/Logs?

• Help with first time IPS configuration

  I just installed an AIP-SSM module in our ASA 5520 firewall (protecting a school district). I successfully configured it to scan all traffic sent both directions with the following config:
  access-list IPS extended permit ip any any
  class-map ips-class
  match access-list IPS
  policy-map ips-policy
  class ips-class
  ips inline fail-open
  no service-policy global_policy global
  service-policy ips-policy global
  I also configured it to Deny Attacker Inline when RR=75-100. Figured that was a simple configuration to get things started. However, we noticed that some websites were running very slowly after I implemented these settings. What is causing this?
  I guess the other option would be to reconfigure to only scan incoming traffic initiated from the outside to help protect the district from incoming attacks. But I thought it would be more responsible of me to configure it to scan both ways to protect external hosts from an attack that a student could initiate from a school computer. Is this really necessary or am I creating headaches for myself?

  Thanks for your response. I found DocID 71204 and based on that I modified the IPS config as follows:
  access-list IPS permit ip interface outside any
  class-map ips-class
  match access-list IPS
  policy-map ips-policy
  class ips-class
  ips inline fail-open
  service-policy global_policy global (put the default back)
  service-policy ips-policy interface outside
  But now the IPS doesn't appear to be doing anything, so I must have done something wrong. I modified signatures 2000 and 2004 with an RR=100 so that any incoming pings should be seen as a high-level attack and the incoming IP denied. If I go back to the original config this test works, but not with this config (which according to the Cisco doc should send any incoming traffic initiated from outside to the IPS).

• IOS IPS configuration

  Hi all,
  I am implementing IOS IPS on a 3800 router but I am not sure if when I enable it all the previous TCP sessions already active across the router will be dropped by the inpsect (because the IPS never saw when all those sessions started).
  Any comments are really apreciated..

  Some clarifications:
  1. the fail closed option by default is not configured. Default option is fail open.
  2. Cisco has recommend signatures files (128MB.sdf and 256MB.sdf in 4.x signature format and has basic and advanced category (in 5.x signature format). Those are recommended starting point while configuring router based IOS IPS. It has about 300 and 500 signatures respectively.
  3. If configured right, the above two set of signatures will take about 3 to 5 minutes to load and compile. And during the compilation process, the process cpu normally is high, but it wont affect data plane traffic passing the router.
  Hope this helps,
  -Chris

• SSM-IPS 6.03E1 unwanted blocking

  Hi all,
  I am doing some testing in the lab and came accross something that is interesting to me:
  I enabled sigs 2000 and 2004 to test that the ips is inspecting the traffic and checked the action for those 2 sigs as producealert only. That worked well with informational alert sev. However, when raisng the sev to high the IPS starts blocking the icmp packets even though the action on the signature is only produce alert. Why is the IPS blocking such traffic? Am I missing something here. As always, help is appreciated.

  There is a default event-action-override for deny-packet-inline that gets added to all events with a Risk Rating of 90 or higher.
  When running setup on the sensor, one of the last questions is "Modify default threat prevention settings?[no]".
  If you answer "no" then the default remains active. Your 2000, and 2004 signatures will generate Risk Rating higher than 90 if you change the severity to high, and so will be automatically denied.
  If you answer "yes" then you are provided to option to disable these default settings.
  To see this setup option refer to step 20 of this section:
  http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_initializing.html#wp1072155
  To learn more about event action overrides refer to:
  http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_event_action_rules.html#wp1085984

• ASA 5520 IPS configuration

  Dear boss
  I have a ASA 5520  with IPS in my Data center. i am using it for routing and access list.  it is running and my all 80 branches running on it.
  now i want to enable IPS.
  How i start it ?
  when i click on IPS on graphic mood an it asking an IP. what it should be ?
  what is the procedure  ?
  Is there any risk to enable it during business hour ?
  please tell me details
  Thanking You
  shahid

  Hi,
  To know more details for configuring IPS in ASA Firewall the below URL will help you
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html
  Regards,
  MK

• MDS 9222i IPS configuration

  Hi,
  I'm trying to configure my 4 port IPS, and am running into some peculiar situations that I can't seem to find resolution on.
  I want to dedicate 2 of the 4 ports for iSCSI and the other 2 for FCIP. I'd like to bond 2 ports to support one IP addr, but am having a hard time doing that as well. When I try to add a GE port to a channel, it gives me a port not compatible message. Could it possible that GE IPS ports cannot be added to a port channel? The Cisco guide is rather vague, as it only gives instructions on how to do it. Any insight would be helpful.
  TIA.

  Ken,
  The IPS-4 is End of Sale, I'm not sure about the IPS-8 but it may also be End of Sale. You are correct, for FCIP redundancy, the best option is to create multiple tunnels, each using 1 GE interface, and then port-channel them together. If possible, use GE ports on different line cards so that if a line card reloads (like during an upgrade) the entire port channel will not be affected. All GE ports will flap during upgrade, they are not 'non-disruptive', but if the FCIP port channel is spread across multiple line cards, it will stay up, while the individual links flap 1 at a time during the upgrade. As for iSCSI, the best option is to use iSLB and load balance multiple incoming iSCSI connection across several GE ports. There really is no longer a need to bundle the GE ports, as the only time it was useful was for iSCSI prior to the iSLB (which is iSCSI server load balancing).
  Hope this helps,
  Mike

• New to IPS SSM 10

  Can i know the link where i can get the guide how to work on IPS SSM 10 (cisco IDM 6.0)

  Configuring the AIP-SSM, IPS CLI Config Guide v6.0
  http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliSSM.html
  Troubleshooting the ASA AIP-SSM
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00808908d5.shtml
  Sending traffic from ASA to AIP-SSM config example
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
  Deploying IPS using the AIP-SSM
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/white_paper_c11-459025_ps6120_Products_White_Paper.html
  Getting started guide ASA v8.0 configuring the AIP-SSM
  http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
  initialize the AIP-SSM
  http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliInit.html#wp1043876
  installing the AIP-SSM system image
  http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliImage.html#wp1032373

• AIP-SSM configured with event action "produce alert", but it drop packets

  Hi, I configured an AIP-SSM IPS on event action for "Produce Alert", but when fire a signature, it drop the packets. So, what will be the problem?

  Try these links:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/clievact.htm#wp1034058
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

• How to change the default servcie port number to be checked for the IPS sig

  Dear
  i have an AIP-SSM (IPS) installed in a an ASA firewall.
  i have configured an access-list in the firewall to forward the traffic coming from the internet toward the internal server to be checked by the IPS module.
  but the case is that the services have to be checked is not the default services port numbers.
  http port is 8081
  oracle port is 2006
  and many other services.
  the question now, is how to change the default service number in the IPS in order to be checked by the corresponding service signatures?
  Thanks

  You would set those as part of the signature variables.
  http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_signature_definitions.html#wp1040009

• 5585X-IPS SSM40 Event alert

  Hello,
  ASA Firewall is running in Active/Active mode. Below is the configuration of the firewall and IPS SSM module.
  We are not getting event on IPS sensor when we type "show event alerts".
  IPS configuration:
  ++++++++++++++++++++++
  IPS1#
  IPS1# sh configuration
  ! Current configuration last modified Tue Jul 02 07:19:13 2013
  ! Version 7.1(1)
  ! Host:
  !     Realm Keys          key1.0
  ! Signature Definition:
  !     Signature Update    S552.0   2011-03-07
  service interface
  exit
  service authentication
  exit
  service event-action-rules rules0
  exit
  service host
  network-settings
  host-ip 10.15.1.58/28,10.15.1.57
  host-name IPS1
  telnet-option disabled
  access-list 0.0.0.0/0
  dns-primary-server disabled
  dns-secondary-server disabled
  dns-tertiary-server disabled
  exit
  time-zone-settings
  offset 60
  standard-time-zone-name GMT+03:00
  exit
  exit
  service logger
  exit
  service network-access
  exit
  service notification
  exit
  service signature-definition sig0
  exit
  service ssh-known-hosts
  exit
  service trusted-certificates
  exit
  service web-server
  exit
  service anomaly-detection ad0
  exit
  service external-product-interface
  exit
  service health-monitor
  exit
  service global-correlation
  exit
  service analysis-engine
  virtual-sensor vs1
  description virtual-sensor-1
  anomaly-detection
  operational-mode learn
  exit
  physical-interface PortChannel0/0
  exit
  exit
  IPS1#
  ASA in system mode
  +++++++++++++++++++++++++++++++++++++++
  ASA-1/act/pri# sh run
  : Saved
  ASA Version 9.1(1) <system>
  hostname ASA-1
  enable password u14FkAnxI.kNNH7a encrypted
  no mac-address auto
  interface GigabitEthernet0/0
  description LAN Failover Interface
  interface GigabitEthernet0/1
  description STATE Failover Interface
  interface GigabitEthernet0/2
  interface GigabitEthernet0/3
  interface GigabitEthernet0/4
  shutdown
  interface GigabitEthernet0/5
  shutdown
  interface Management0/0
  interface Management0/1
  interface TenGigabitEthernet0/6
  channel-group 20 mode active
  interface TenGigabitEthernet0/7
  channel-group 20 mode active
  interface TenGigabitEthernet0/8
  channel-group 10 mode active
  interface TenGigabitEthernet0/9
  channel-group 10 mode active
  interface GigabitEthernet1/0
  shutdown
  interface GigabitEthernet1/1
  shutdown
  interface GigabitEthernet1/2
  shutdown
  interface GigabitEthernet1/3
  shutdown
  interface GigabitEthernet1/4
  shutdown
  interface GigabitEthernet1/5
  shutdown
  interface TenGigabitEthernet1/6
  shutdown
  interface TenGigabitEthernet1/7
  shutdown
  interface TenGigabitEthernet1/8
  shutdown
  interface TenGigabitEthernet1/9
  shutdown
  interface Port-channel10
  interface Port-channel10.96
  description "Inside-CTX-1"
  vlan 96
  interface Port-channel10.97
  description "Inside-CTX-2"
  vlan 97
  interface Port-channel20
  interface Port-channel20.98
  description "Outside-CTX-1"
  vlan 98
  interface Port-channel20.99
  description "Outside-CTX-2"
  vlan 99
  class default
    limit-resource All 0
    limit-resource Mac-addresses 65535
    limit-resource ASDM 5
    limit-resource SSH 5
    limit-resource Telnet 5
  boot system disk0:/asa911-smp-k8.bin
  ftp mode passive
  pager lines 24
  failover
  failover lan unit primary
  failover lan interface FOL GigabitEthernet0/0
  failover link STATEFULL-LINK GigabitEthernet0/1
  failover interface ip FOL 10.15.1.33 255.255.255.252 standby 10.15.1.34
  failover interface ip STATEFULL-LINK 10.15.1.37 255.255.255.252 standby 10.15.1.38
  failover group 1
    preempt
  failover group 2
    secondary
    preempt
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  console timeout 0
  tls-proxy maximum-session 1000
  admin-context admin
  context admin
    allocate-ips vs0 adminvs0
    config-url disk0:/admin.cfg
  context arm-1
    description ARM-1
    allocate-interface Management0/0 MGT
    allocate-interface Port-channel10.96 inside
    allocate-interface Port-channel20.98 outside
    allocate-ips vs1 arm-1vs1
    config-url disk0:/arm-1_Context.cfg
    join-failover-group 1
  context arm-2
    description ARM-2
    allocate-interface Management0/1 MGT
    allocate-interface Port-channel10.97 inside
    allocate-interface Port-channel20.99 outside
    allocate-ips vs1 arm-2vs1
    config-url disk0:/arm-2_Context.cfg
    join-failover-group 2
  prompt hostname context state priority
  no call-home reporting anonymous
  Cryptochecksum:ad532251aad3ca65f6da8f1ff0762816
  ASA in one arm context mode
  +++++++++++++++++++++++++++++++++++++++
  ASA-1/arm-1/act/pri# sh run
  : Saved
  ASA Version 9.1(1) <context>
  firewall transparent
  hostname arm-1
  enable password u14FkAnxI.kNNH7a encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface BVI1
  ip address 10.15.1.57 255.255.255.240
  interface MGT
  management-only
  nameif management
  security-level 0
  ip address 10.14.1.9 255.255.255.0 standby 10.14.1.10
  interface inside
  nameif inside
  bridge-group 1
  security-level 100
  interface outside
  nameif outside
  bridge-group 1
  security-level 0
  access-list global extended permit ip any any
  access-list out extended permit ip any any
  access-list in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  monitor-interface inside
  monitor-interface outside
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  access-group in in interface inside
  access-group out in interface outside
  route inside 10.0.0.0 255.255.0.0 10.15.1.51 1
  route inside 10.0.10.45 255.255.255.255 10.15.1.51 1
  route outside 10.11.0.0 255.255.0.0 10.15.1.53 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  crypto ipsec security-association pmtu-aging infinite
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 30
  no threat-detection statistics tcp-intercept
  username admin password fMQ/rjnxl9Vwe9mv encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  class-map any
  match access-list global
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map IPS
  class any
    ips promiscuous fail-open sensor arm-1vs1
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  service-policy IPS interface outside
  Cryptochecksum:00b87b7c25f21d91cf5b90cb18c4d745
  : end
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++
  Why we are not able to see any event on IPS. As MPF is configured on ASA and that ACL is gettin hit count?
  Regards,

  In the CLI enter the following command to see if any signatures are triggering, it could just be that you haven't had the right combination of signatures trigger to cause an actual event:
  show stat virtual-sensor | begin Per-Signature
  You could also enable Signature 2000 and that will usually generate events in a short time to ensure you have traffic configured correctly for inspection by the IDS.