Sync configs between AIP-SSMs

We have a pair of ASA 5520s in active/stanby mode. This part of the situation works great, configurations are always synced to the standby, nothing is lost. Planned failover has worked every time without users even noticing.
We have an AIP-SSM-20 in each.
The challenge arises as it seems there is still no easy and automatic way to sync the configuration of the SSMs together.
Due to all the false positives, we need to perform configurations on the AIP-SSMs. Is there a method I am overlooking, how do you do it?
Thanks.

Thanks for your reply. I've gotten back on this subject....
Does this run as a service, like it is running all the time and needs to be installed on a system which is always up, or does this run as an application only as needed.
Based on the requirements, I can not tell. It can run on desktop OSes or Server OSes.
"Hard Drive
â¢ 100 GB
Memory (RAM)
â¢ 2 GB
Supported Operating Systems
â¢ Windows Vista Business and Ultimate (32-bit only)
â¢ Windows XP Professional (32-bit only)
â¢ Windows 2003 server
Note: Cisco IPS Manager Express supports only the 32-bit U.S. English version of Windows."
100GB for an application, seems rather hefty to me. Is this for real?
Thanks

Similar Messages

Sync config between active and standby CSM

Is there a way to sync config between active and standby CSMs? Just as one that in CSS.
How about two SSL Service module in two different 6500 chassis?
Thanks.

HI,
there is right now no command to commit redundancy between two CSM-Modules. Maybe in the future there will be one. Okay in regards of sync the only way is to check for redundancy is the show mod csm x ft command. But be aware that some slight differences like a real not being in service are sometimes not recognized.
In regards of the SSLModule there is no way as far as I know to sync them. This won't be present in the future in my opinion as there are certificates which require a password or something like that and one won't be able to do redundncy without those passwords. So In my opinion no way to sync two SSL-Module because of security issues.
Kind regards,
Joerg

Is there any architectural difference between CSC-SSM and AIP-SSM modules

Hello security gurus!
I'm wondering if there's any chance to make Content security module (CSC-SSM) work as IPS (AIP-SSM). It seems to me they are absolutely identical in terms of hardware. Is there any chance to make CSC-SSM boot with the flash from AIP-SSM and have the ASA recognize it as an IPS module ?
Eugene

Zheka,
This is not recommended and you will loose support, these are different devices designed for different purposes, you will also have issues with the license, I have seen it one once, and the customer did it by mistake, the module eventually crashed and we had to add the proper image.
Regards,
Felipe.

AIP-SSM Configuration Maintenance in Active Stdby modes

So, I'm pretty new to the AIP-SSM but not to ASA's. It appears that very little of the AIP module config gets copied over to the Stdby AIP, nothing other than what appears in the ASA config (ACL's, etc.). So, do all the config elements particular to the module itself have to be manually reproduced on the Stdby module, either by hand entry or config copies moved between the two?

So in Active/Standby scenarios with AIP-SSM, what is the reasoning for not having a feature for automatically copying over module config changes as with the ASA config?
If there is no good reason, is it on the AIP-SSM road map to provide this feature?
This can be a real pain in the arse for complex IPS configs. You have to do everything twice, and right away, so you won't miss anything should the ASA'a flip.

Using ASA5510 AIP-SSM in IDS mode

Hi,
I' ve a Cisco ASA5510 with AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
without the traffic passing through the Firewall.
I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit all the traffic to the Sensor but it doesn't work, no packet recived on sensor.
somebody can help me?
thanks

Unfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
- Bob

Password Reset for AIP-SSM 10

Hi,
i have an ASA5520 with v 7.2(2) running.
but the IPS module spftware is 5.1
when i tried to login to the > session 1
it prompts me for a login and password.
i tried cisco and a few other combinations.. but no luck ,,
how do i reset it ?? also that reset procedure on the docs says its resets password or the user cisco ..
how can i be sure if the user cisco even exists on it or not ?
any help please ???

no man it doesnt ..
the link u specified says it too..
hw-module module slot_number password-reset?This command recovers a password on a Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM) or the AIP-SSM without having to re-image the device.
Note: This command starts support from IPS 6.0 (ASA 7.2 version) and is used to restore the Cisco CLI account password to the default cisco
hers my ASA and IPS details..
ASA# sh version
Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)
Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "disk0:/asa722-k8.bin"
Config file at boot was "startup-config"
ASA up 22 days 3 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
ASA# sh module 1
Mod Card Type Model Serial No.
1 ASA5500 SSM-10 ASA-SSM-10 B155670DW4
Mod MAC Add Range Hw Ver. Fw Ver. Sw Ver.
1 00xx to 001 1.0 1.0(10)0 5.0(2)S152.0
Mod SSM Apps. Name Status SSM Apps Version
1 IPS Up 5.0(2)S152.0
Mod Status Data Plane Status Compatibility
1 Up Up

Transfer Config between Different Boxes

Hi,
We need to transfer complete configuration from one SAP Client (Development client) to another and both the clients are in different boxes (Server) in order to bring configuration in both the boxes in sync.
Kindly suggest the best practice and the process to be followed.
Regards,
Ghanapriya

We can transfer config between systems by migrating table data. We need to identify all tables to be migrated to other systems and upload them in destination system. Basis team will be the best contact to migrate standard tables data.
Thanks.

AIP-SSM, it is not sensing the traffic

Hi everyone, i have a trouble, now iam using an ASA 5510 with AIP-SSM10, my problem is when I redirect the traffic to the AIP-SSM for detects attacks, i probe it and then I look in the events logs of the IPS, and the sensor dont detect nothing, is necessary to install an IPS license??, it is for my own project, thanks.

Unless you are scanning across the ASA, the SSM module will not "see" the scan and cannot produce events. To alarm on an SSM module, you must scan from one network to another. Basically, the SSM cannot do promiscuous monitoring. I would recommend an IPS appliance if you want to monitor traffic sent between hosts of the same network.
** Pls rate if this helps **

Configuring SNMP Trap receiver on AIP-SSM sensor

I receive the following error message from my ASA5520 firewall when attempting to forward SNMP traps from my AIP-SSM20 sensor to a server on my Inside interface that is configured to receive SNMP traps:
ASA-4-418001: Through-the-device packet to/from management-only network is denied: udp src management: 10.3.21.2/32768 dst Inside: PPC0ES/162
Can I reconfigure the management IP address of the AIP-SSM sensor to connect to the Inside interface instead of the management vlan or does my SNMP server have to reside on the management vlan with the sensor?

Hi Subodh,
Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
If you have any other specific questions, feel free to post back.
Hope that helps.
-Mike

AIP-SSM (Not Applicable)

Hi Experts,
             We have 2ASA and each one have AIP-SSM,with 2nd ASA AIP-SSM I tried to upload latest image for AIP-SSM 20 but didnt worked and now i see module is dead...pls check the detials below.....pls help me out how to make it up or work properly so that i can config other stuff.Pls its very imp and urgent help me out....
ASA-A:
251-DBSi-ASA5540# sh module 1
Mod Card Type                                    Model              Serial No.
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20         JAF11370608
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
1 0007.0e11.e13b to 0007.0e11.e13b 1.0          1.0(11)2     5.1(6)E1
Mod SSM Application Name           Status           SSM Application Version
1 IPS                            Up               5.1(6)E1
Mod Status             Data Plane Status     Compatibility
1 Up                 Up
ASA-B:
251-DBSi-ASA5540# sh module 1
Mod Card Type                                    Model              Serial No.
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20         JAF1137060C
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
1 001d.4524.a414 to 001d.4524.a414 1.0          1.0(11)2     5.1(6)E1
Mod SSM Application Name           Status           SSM Application Version
1 IPS                            Not Applicable   5.1(6)E1
Mod Status             Data Plane Status     Compatibility
1 Recover            Not Applicable

Please try rebooting the module, if it does not work recovery it using the following procedure
http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/cliimage.html#wpxref68481
Regards
Farrukh

Configuring AIP SSM to monitor only

Hi all,
We purchased an AIP-SSM-20 for our ASA5520. Is there a way to enable IPS functionality, but not block anything, i.e. just log events? This is just to see if any legitimate company traffic will be blocked.
Thanks!
Jacques

Configure the ASA to send traffic to the IPS in promiscuous mode using the following command in a policy-map:
hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close |
fail-open} [sensor {sensor_name | mapped_name}]
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
Geroge

Configuring AIP-SSM modelue

hi,
we have AIP-SSM-40 modeule installed on ASA 5540 but it is just physically present.
Is it possible to configure to this modeule in inline or like IDS mode? It has only one Ethernet interface. Can this interface be treated as sensor interface and mark a copy of all incoming frames on this interface ( by SPA on switches ).
Please share the experience.
Thanks in advance.
Subodh

Hi Subodh,
Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
If you have any other specific questions, feel free to post back.
Hope that helps.
-Mike

How ASA forwarding traffic to AIP-SSM

Hi All,
Can someone help how ASA device forwarding traffic to AIP-SSM? I'm not taking abt Configuration part like Class-map, policy-map and service policy....want to understand the traffic flow from ASA once traffic matched with ACL to AIP-SSM.
From one of Cisoc document, understood that the module using a Cisco Propietary protocol for communicating with ASA appliance.
================================================================================================================
FYR from Cisco Website:
Q. How does the Cisco ASA AIP-SSM plug into and communicate with the appliance?
A. The Cisco ASA AIP-SSM plugs directly into the SSM slot in the Cisco ASA appliance's chassis. This provides a direct connection to the appliance's backplane. Once the module is installed, a proprietary protocol runs over the bus and controls data flow and messaging between the module and appliance.
================================================================================================================
Regards,
S.Vinoth

Hey ,
as you mentioned above , it uses a cisco Probietary protocol for that communication , there are two interfaces , control channel and data channnel , data channel is where the traffic being forwarded , the backplane is the connection between the ASA and the IPS interface .
Hope that this helps .
Mohammad.

IPS Labs using AIP SSM 10

Hi,
Can anybody send me a lab with a scenario for IPS using AIP SSM 10 and and if they could be for both CLI as well as by using ASDM. Also, when I was trying to access IPS using ASDM, I was getting an error message "Error connecting to sensor. Failed to load sensor-Error getting config data from following modules analysisEngine signatureDefinition networkAccess host". Can anybody please give me a solution for it.
Thanks.

Cisco had orginally planned to add a "keep alive" signature to 6.0. but that feature got dropped. The intent was to fire off a signature every few mins as long as the sensor was seeing valid traffic. The absence of seeing this signature should trigger some attention to a downed sensor.
You can write a custom sig, but you have to be able to detect the loss of that event to be of value.

AIP-SSM-10 sensor upgrade

I have two ASA5520's with ASA-SSM-10 modules which are running Cisco Intrusion Prevention System, Version 6.0(6)E4. These are located at two different sites (one is local and the other remote from where I am based) and so are not running failover.
I understand there is an auto update signature option with Version 6.1 or later which I would like to set up.
The ASA5520's are running Cisco Adaptive Security Appliance Software Version 8.2(5).
Can anyone recommend whether I should be looking at upgrading to Version 6.2 or 7.0 and perhaps why.
Do I also just apply the engine update and then update the latest signatures for good measure.
I was thinking of doing the upgrade through the IDM and was a bit confused about the recovery and system images and what the correct procedure should be e.g. backup the AIP config, tftp the existing image, install the new engine image and reboot the sensor?
Any comments or assistance would be appreciated.
Thanks, Peter.

Hello Peter,
Hope you are doing fine,
I would encourage you to go to the latest IPS image available now days whitch is : 7.1.7 Engine 4
Why is that?
Because you will ensure you will have a device with the latest image that will provide you fixes to previous bugs, new features, etc etc.
So go for it.
Now regarding the upgrade
From the CLI
On configuration terminal mode
Configuration terminal
upgrade ftp://user:[email protected]/upgrade_file_name
http://www.networkstraining.com/how-to-upgrade-the-cisco-ips-module-aip-ssm/
Regards,
Julio Carvajal

Sync configs between AIP-SSMs

Similar Messages

Maybe you are looking for