upgrading IPS strings, ASA SSM-10 module

Answered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

My suggestion to you would be this: Use the IDM provided with the system. It is a lot easier for people unfamiliar with the IPS in CLI mode.


You can access this device via a webpage, "https://"IPADDRESS" and modify it like this. I do have to point out that the IPS limits this connectivity out of the box. You'll want to modify this access-list to include the IP address you're connecting from. Also, you'll want to ensure the HTTPS Service is enabled, and on port 443 for ease of use. All of this will need to happen initially in the CLI.


Once you're in the IDM you'll want to select

"Configuration". From here scroll down to the update section. You'll select "update is located on this client" and you're golden. You can simply upload your latest signature from the XP machine.

saidfrh Sun, 04/06/2008 - 08:07

I can connect the LAN switch directly to the inside interface of the ASA5510 firewall. Hosts can get Internet connectivity while cabled to the switch. However, when the LAN switch is connected to the port on the IPS module, there is no Internet connectivity. Any suggestions would be appreciated. The following is the sh configuration and sh int output.

sh con_[Jfiguration

Version 5.1(6)

! Current configuration last modified Sat Apr 05 12:28:11 2008

! ------------------------------

service interface

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/1

exit

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 192.168.1.36/24,192.168.1.10

host-name ips

telnet-option enabled

--MORE--

access-list 0.0.0.0/0

exit

time-zone-settings

offset 0

standard-time-zone-name UTC

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

--MORE--

exit

! ------------------------------

service web-server

exit


ips# sh inter_[Jfaces _[2C

Interface Statistics

Total Packets Received = 6806

Total Bytes Received = 2001784

Missed Packet Percentage = 0

Current Bypass Mode = Auto_off

MAC statistics from interface GigabitEthernet0/1

Interface function = Sensing interface

Description =

Media Type = backplane

Missed Packet Percentage = 0

Inline Mode = Unpaired

Pair Status = N/A

Link Status = Up

Link Speed = Auto_1000

Link Duplex = Auto_Full

Total Packets Received = 6807

Total Bytes Received = 2001866

Total Multicast Packets Received = 0

Total Broadcast Packets Received = 0

Total Jumbo Packets Received = 0

Total Undersize Packets Received = 0

Total Receive Errors = 0

Total Receive FIFO Overruns = 0

Total Packets Transmitted = 6807

--MORE--

Total Bytes Transmitted = 2017118

Total Multicast Packets Transmitted = 0

Total Broadcast Packets Transmitted = 0

Total Jumbo Packets Transmitted = 0

Total Undersize Packets Transmitted = 0

Total Transmit Errors = 0

Total Transmit FIFO Overruns = 0

MAC statistics from interface GigabitEthernet0/0

Interface function = Command-control interface

Description =

Media Type = TX

Link Status = Down

Link Speed = N/A

Link Duplex = N/A

Total Packets Received = 126

Total Bytes Received = 14255

Total Multicast Packets Received = 0

Total Receive Errors = 0

Total Receive FIFO Overruns = 0

Total Packets Transmitted = 1

Total Bytes Transmitted = 64

Total Transmit Errors = 0

Total Transmit FIFO Overruns = 0


I'm not to sure what you mean by "connected to the port on the IPS." The port on your SSM is merely a management port. It is not anything that would interfere with network connectivity.


Please advise on your cabling. You should still connect up as you would normally. Here is how a config of the asa should look like:


hostname(config)# access-list IPS permit ip any any

hostname(config)# class-map my-ips-class

hostname(config-cmap)# match access-list IPS

hostname(config-cmap)# policy-map my-ids-policy

hostname(config-pmap)# class my-ips-class

hostname(config-pmap-c)# ips inline fail-open

hostname(config-pmap-c)# service-policy my-ids-policy global ** Or whatever your main service policy is **


I took this directly from the CISCO AIP setup. http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSSM.html


I hope this is what you were needing. Please let us know if it is not.

Actions

This Discussion