AIP SSM Telnetting to FW?

Unanswered Question
Oct 10th, 2008

Hello,

I have recently upgraded my AIP-SSM-20 modules to 6.0(5)E2 at the recommendation of Cisco. I have 2 ASA5520s in single-context mode in an Active/Standby configuration. 1 module in each FW.

I have the IPS in promiscuous mode at the moment because honestly, I have no clue how to configure or effectily implement this tool.

I've been fumbling around the GUI / CLI and I have added the "host" firewalls as blocking devices (10.1.1.3, and 10.1.1.5), and set them to communicate via SSH 3DES. I created a profile called ASA that includes the login information. Since I have update the IPS firmware, I see a log message in ASDM saying:

TCP access denied by ACL from 10.1.1.65/46906 to inside:10.1.1.3/23.

I get this message for 10.1.1.65 and 10.1.1.68, the two IPS modules. I have verified that the correct credentials are configured in the IPS, as well as the correct connection type. I have removed the "Blocking Devices" config and then reapplyed it, still no change. Why is the IPS trying to telnet to the firewall when it's explicitly configured to SSH? Any ideas would be great. Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rtjensen4 Fri, 10/10/2008 - 12:57

Yes, I've done that. I removed both hosts, and then readded them. I thought maybe it had somthing to do with a bad key, so I removed the host keys for both firewalls, then had the IPS go grab them again. Thanks for the feedback.

Farrukh Haroon Sat, 10/11/2008 - 02:54

You need to add the following line on the Firewall:

ssh 10.1.1.65 255.255.255.255 inside

Regards

Farrukh

rtjensen4 Tue, 10/14/2008 - 05:33

Hi Farrukh,

I already allow the 10.1.1.0 /24 network via SSH to the inside interface of the fw. It's very strange because the IPS is not using SSH as it should, it's trying to connect on port 23, which is telnet, not port 22 as it should. Thanks for the suggestion. Any other ideas??

Farrukh Haroon Tue, 10/14/2008 - 06:04

Can you post a screenshot of the IDM page where you added the firewall as a blocking device? Have you ensured that you selected SSH as the transport protocol there?

Regards

Farrukh

Farrukh Haroon Tue, 10/14/2008 - 06:22

Do the following:

> Regenerate the keys on the ASA, set it to modulus 1024 this time.

> Delete the key/blocking device in the sensor.

> Re-Add

> Check the sensor event log and ASA syslog for any errors. Make sure you check the box to see blocking/attack response events.

Regerds

Farrukh

Actions

This Discussion