AIP SSM mode

Answered Question
Dec 11th, 2007

I purchased an ASA 5510 with SSM module for IPS to get in PCI compliance. I'm setting up the SSM and I don't know if I should use inline or promiscuous mode to monitor traffic. I'm afraid I'll slow thing down if I do inline but I'm not sure if promiscuous mode is enough to satisfy PCI standards. Does anyone know which can or must be used?

I have this problem too.
0 votes
Correct Answer by ccbootcamp about 8 years 10 months ago

Here ya go:


(please RATE the post if this helps!)

(Maybe the moderator can make this a sticky!)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
ccbootcamp Tue, 12/11/2007 - 21:10

I believe you have to use inline mode, but I'm not 100% on this. I have the PCI compliance file that I can forward to you if you want to send me an email.

What is your bandwidth connection? The 5510 w/ the SSM can handle 150 Mbps. In terms of added latency, check it out for yourself, but I bet it's only an "ms" or two.

Here is a sample config for you as well:

I have a copy of Cisco's PCI compliance DOC from Paul Serbin (Cisco Security SE for the southwest region) somewhere in my email, but for whatever reason, I can't find it. If you want, shoot me an email, and after I dig it up, I will forward it to you. It has the exact requirements of Cisco hardware to meet PCI compliance.


(please rate the post if this helps!)


This Discussion