cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
611
Views
4
Helpful
5
Replies

AIP-SSM configuration assistance

Tshi M
Level 5
Level 5

I have two questions regarding the AIP-SSM.

1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?

2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?

3) Should then the management interface be used as the gateway for the SSM?

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 65.x.x.1 255.255.255.0 standby 65.x.x.2

!

interface GigabitEthernet0/1

nameif dmz

security-level 50

ip address 172.16.x.1 255.255.255.0 standby 172.16.x.2

!

interface GigabitEthernet0/2

nameif inside

security-level 100

ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

speed 100

duplex full

nameif management

security-level 100

ip address 10.0.x.1 255.255.255.0 standby 10.0.x.2

management-only

1 Accepted Solution

Accepted Solutions

vitripat
Level 7
Level 7

Here are the answers to your questions-

1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?

Ans) No. ACL on SSM is completely independent of ACLs on ASA.

2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?

Ans) Absolutely. You can assign the management port of SSM an IP in the same subnet as your managemnet interface. That way all management traffic will be kept independent of normal DATA traffic.

3) Should then the management interface be used as the gateway for the SSM?

Ans) You are right .. :-)

Hope that helps.

Regards,

Vibhor.

View solution in original post

5 Replies 5

vitripat
Level 7
Level 7

Here are the answers to your questions-

1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?

Ans) No. ACL on SSM is completely independent of ACLs on ASA.

2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?

Ans) Absolutely. You can assign the management port of SSM an IP in the same subnet as your managemnet interface. That way all management traffic will be kept independent of normal DATA traffic.

3) Should then the management interface be used as the gateway for the SSM?

Ans) You are right .. :-)

Hope that helps.

Regards,

Vibhor.

after making changes to the IDS sensor, it prompts for a node reboot. does this reboot affect the firewall as well (i.e. causing the firewall to reboot)?

The reboot required is just for the IPS on the SSM. The ASA itself will not be rebooted, it is only the SSM module that will be rebooted.

If your ASA configuration is using the SSM module and it is configured as "fail-close", then only you will face issues when SSM module is reloaded. Make sure that ASA is configuration has following line if using SSM services-

ips {inline | promiscuous} fail-open

This way even if you reload the SSM module it wont break the traffic through ASA.

Hope that helps.

Regards,

Vibhor.

Not only that, but if your ASA's are in a failover configuration, if you reboot the SSM on the primary firewall, it will cause a failover to the standby.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: