How to monitor ASA5510 with AIP-SSM remotely?

markloman · ‎04-02-2007

Hi all,

Last week I purchased a brand new ASA 5510 with AIP-SSM (ASA5510-AIP10-K9). It came in with ASA version 7.2(2) and IPS version 5.1(1)S205.0.

I cannot monitor the IPS from within ASDM because IPS 6.0.1 or higher is required. My questions:

1. Why was the new unit shipped with IPS 5.1? Shouldn't I got IPS 6.0.1 in the first place?

2. Do I need a support contract to be able to upgrade to IPS 6.0.1? I want to update the signatures too. What contract would I need?

3. What is the best approach to remotely monitor the AIP-SSM with IPS 5.1 on it? Better upgrade to 6.0.1, right?

Hope someone can shed some light.

Kind regards,

Mark Loman

acomiskey · ‎04-02-2007

3. https://

markloman · ‎04-02-2007

Thanks for the quick response! I appreciate it. The https:// is only working when I'm connected to SSM managment port. I am not planning to connect anything to that port (or must I?). I've read the following concerning another module, the CSC SSM:

"The management port of the CSC SSM must be connected to your network to allow management of and automatic updates to the CSC SSM software. Additionally, the CSC SSM uses the management port for email notifications and syslogging."

Is this the same for AIP-SSM? (it's not mentioned in the manual)

In my situation, the AIP-SSM has IP address 10.2.0.201/24 and 10.1.1.0/24 has access for it. But the ASA has defined 10.2.0.201 as outside while 10.2.0.0/24 is actually defined inside (on the ASA). The log states:

"Teardown TCP connection 1494 for outside:10.1.1.150/59990 to outside:10.2.0.201/443 duration 0:00:00 bytes 0 Flow is a loopback"

10.2.0.0/24 is defined on ASA Ethernet0/1 (nameif inside), but - as mentioned above - I do not want to physically connect AIP-SSM with that network (I would need to purchase a switch, just to manage AIP-SSM). I just want to manage the AIP-SSM over a Site-to-Site VPN (10.1.1.0/24). I cannot find any information on this.

Thanks!

Mark

jwjorgensen · ‎04-08-2007

Either way you want to manage it(asdm integrated or idm), you will need to connect the management port of the aip-ssm to the network. When you upgrade the code to 6.0 and try to connect, the idm will not be able to connect if the management port is not on the network. Any time I set it up, I will connect the aip-ssm to a switchport and place that switchport in a management vlan. That way you can filter all the traffic that you do not want to enter that vlan.

PAUL GILBERT ARIAS · ‎06-06-2007

Hi,

If you want to manage your AIP remotly using the IDM you will need to have the managment interface connected to the network so that it can be reached by ip. IF you don't want to do it like that then you can connect remotly to the ASA and then log in into the AIP but using the CLI only.

hoogen_82 · ‎06-07-2007

Hmm.. for one my customer i had deployed the ASA with the CSC-SSM module. From outside i was able to log into the ASDM and manage the asa, but since the CSC module has a internal Private ip address, i dont get to manage the CSC SSM from the asdm. I then connected the CSC SSM to the public ip and tried accessing it and still not able to do so.

Any ideas

_hoogen