AIP SSM Telnetting to FW?

Unanswered Question
Oct 10th, 2008


I have recently upgraded my AIP-SSM-20 modules to 6.0(5)E2 at the recommendation of Cisco. I have 2 ASA5520s in single-context mode in an Active/Standby configuration. 1 module in each FW.

I have the IPS in promiscuous mode at the moment because honestly, I have no clue how to configure or effectily implement this tool.

I've been fumbling around the GUI / CLI and I have added the "host" firewalls as blocking devices (, and, and set them to communicate via SSH 3DES. I created a profile called ASA that includes the login information. Since I have update the IPS firmware, I see a log message in ASDM saying:

TCP access denied by ACL from to inside:

I get this message for and, the two IPS modules. I have verified that the correct credentials are configured in the IPS, as well as the correct connection type. I have removed the "Blocking Devices" config and then reapplyed it, still no change. Why is the IPS trying to telnet to the firewall when it's explicitly configured to SSH? Any ideas would be great. Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rtjensen4 Fri, 10/10/2008 - 12:57

Yes, I've done that. I removed both hosts, and then readded them. I thought maybe it had somthing to do with a bad key, so I removed the host keys for both firewalls, then had the IPS go grab them again. Thanks for the feedback.

Farrukh Haroon Sat, 10/11/2008 - 02:54

You need to add the following line on the Firewall:

ssh inside



rtjensen4 Tue, 10/14/2008 - 05:33

Hi Farrukh,

I already allow the /24 network via SSH to the inside interface of the fw. It's very strange because the IPS is not using SSH as it should, it's trying to connect on port 23, which is telnet, not port 22 as it should. Thanks for the suggestion. Any other ideas??

Farrukh Haroon Tue, 10/14/2008 - 06:04

Can you post a screenshot of the IDM page where you added the firewall as a blocking device? Have you ensured that you selected SSH as the transport protocol there?



Farrukh Haroon Tue, 10/14/2008 - 06:22

Do the following:

> Regenerate the keys on the ASA, set it to modulus 1024 this time.

> Delete the key/blocking device in the sensor.

> Re-Add

> Check the sensor event log and ASA syslog for any errors. Make sure you check the box to see blocking/attack response events.




This Discussion