AIP-SSM configuration assistance

Answered Question
Mar 16th, 2007
User Badges:
  • Silver, 250 points or more

I have two questions regarding the AIP-SSM.

1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?

2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?

3) Should then the management interface be used as the gateway for the SSM?


interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 65.x.x.1 255.255.255.0 standby 65.x.x.2

!

interface GigabitEthernet0/1

nameif dmz

security-level 50

ip address 172.16.x.1 255.255.255.0 standby 172.16.x.2

!

interface GigabitEthernet0/2

nameif inside

security-level 100

ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

speed 100

duplex full

nameif management

security-level 100

ip address 10.0.x.1 255.255.255.0 standby 10.0.x.2

management-only

Correct Answer by vitripat about 10 years 2 months ago

Here are the answers to your questions-


1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?


Ans) No. ACL on SSM is completely independent of ACLs on ASA.


2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?


Ans) Absolutely. You can assign the management port of SSM an IP in the same subnet as your managemnet interface. That way all management traffic will be kept independent of normal DATA traffic.


3) Should then the management interface be used as the gateway for the SSM?


Ans) You are right .. :-)



Hope that helps.



Regards,

Vibhor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
vitripat Fri, 03/16/2007 - 13:10
User Badges:
  • Gold, 750 points or more

Here are the answers to your questions-


1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?


Ans) No. ACL on SSM is completely independent of ACLs on ASA.


2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?


Ans) Absolutely. You can assign the management port of SSM an IP in the same subnet as your managemnet interface. That way all management traffic will be kept independent of normal DATA traffic.


3) Should then the management interface be used as the gateway for the SSM?


Ans) You are right .. :-)



Hope that helps.



Regards,

Vibhor.

Tshi M Fri, 03/30/2007 - 06:32
User Badges:
  • Silver, 250 points or more

after making changes to the IDS sensor, it prompts for a node reboot. does this reboot affect the firewall as well (i.e. causing the firewall to reboot)?

marcabal Fri, 03/30/2007 - 09:45
User Badges:
  • Cisco Employee,

The reboot required is just for the IPS on the SSM. The ASA itself will not be rebooted, it is only the SSM module that will be rebooted.


vitripat Fri, 03/30/2007 - 10:05
User Badges:
  • Gold, 750 points or more

If your ASA configuration is using the SSM module and it is configured as "fail-close", then only you will face issues when SSM module is reloaded. Make sure that ASA is configuration has following line if using SSM services-


ips {inline | promiscuous} fail-open


This way even if you reload the SSM module it wont break the traffic through ASA.


Hope that helps.



Regards,

Vibhor.

jshelmer Fri, 03/30/2007 - 11:49
User Badges:

Not only that, but if your ASA's are in a failover configuration, if you reboot the SSM on the primary firewall, it will cause a failover to the standby.

Actions

This Discussion