03-16-2007 01:03 PM - edited 03-10-2019 03:31 AM
I have two questions regarding the AIP-SSM.
1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?
2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
3) Should then the management interface be used as the gateway for the SSM?
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.x.x.1 255.255.255.0 standby 65.x.x.2
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 172.16.x.1 255.255.255.0 standby 172.16.x.2
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 10.0.x.1 255.255.255.0 standby 10.0.x.2
management-only
Solved! Go to Solution.
03-16-2007 01:10 PM
Here are the answers to your questions-
1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?
Ans) No. ACL on SSM is completely independent of ACLs on ASA.
2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
Ans) Absolutely. You can assign the management port of SSM an IP in the same subnet as your managemnet interface. That way all management traffic will be kept independent of normal DATA traffic.
3) Should then the management interface be used as the gateway for the SSM?
Ans) You are right .. :-)
Hope that helps.
Regards,
Vibhor.
03-16-2007 01:10 PM
Here are the answers to your questions-
1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?
Ans) No. ACL on SSM is completely independent of ACLs on ASA.
2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
Ans) Absolutely. You can assign the management port of SSM an IP in the same subnet as your managemnet interface. That way all management traffic will be kept independent of normal DATA traffic.
3) Should then the management interface be used as the gateway for the SSM?
Ans) You are right .. :-)
Hope that helps.
Regards,
Vibhor.
03-30-2007 06:32 AM
after making changes to the IDS sensor, it prompts for a node reboot. does this reboot affect the firewall as well (i.e. causing the firewall to reboot)?
03-30-2007 09:45 AM
The reboot required is just for the IPS on the SSM. The ASA itself will not be rebooted, it is only the SSM module that will be rebooted.
03-30-2007 10:05 AM
If your ASA configuration is using the SSM module and it is configured as "fail-close", then only you will face issues when SSM module is reloaded. Make sure that ASA is configuration has following line if using SSM services-
ips {inline | promiscuous} fail-open
This way even if you reload the SSM module it wont break the traffic through ASA.
Hope that helps.
Regards,
Vibhor.
03-30-2007 11:49 AM
Not only that, but if your ASA's are in a failover configuration, if you reboot the SSM on the primary firewall, it will cause a failover to the standby.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: