cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
600
Views
0
Helpful
7
Replies

AIP SSM Telnetting to FW?

rtjensen4
Level 4
Level 4

Hello,

I have recently upgraded my AIP-SSM-20 modules to 6.0(5)E2 at the recommendation of Cisco. I have 2 ASA5520s in single-context mode in an Active/Standby configuration. 1 module in each FW.

I have the IPS in promiscuous mode at the moment because honestly, I have no clue how to configure or effectily implement this tool.

I've been fumbling around the GUI / CLI and I have added the "host" firewalls as blocking devices (10.1.1.3, and 10.1.1.5), and set them to communicate via SSH 3DES. I created a profile called ASA that includes the login information. Since I have update the IPS firmware, I see a log message in ASDM saying:

TCP access denied by ACL from 10.1.1.65/46906 to inside:10.1.1.3/23.

I get this message for 10.1.1.65 and 10.1.1.68, the two IPS modules. I have verified that the correct credentials are configured in the IPS, as well as the correct connection type. I have removed the "Blocking Devices" config and then reapplyed it, still no change. Why is the IPS trying to telnet to the firewall when it's explicitly configured to SSH? Any ideas would be great. Thanks!

7 Replies 7

rhermes
Level 7
Level 7

Have you set the firewall's IP address as a known host on your IPS?

conf t

ssh host-key 10.1.1.3

ssh host-key 10.1.1.5

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliTasks.html#wp1067312

Yes, I've done that. I removed both hosts, and then readded them. I thought maybe it had somthing to do with a bad key, so I removed the host keys for both firewalls, then had the IPS go grab them again. Thanks for the feedback.

You need to add the following line on the Firewall:

ssh 10.1.1.65 255.255.255.255 inside

Regards

Farrukh

Hi Farrukh,

I already allow the 10.1.1.0 /24 network via SSH to the inside interface of the fw. It's very strange because the IPS is not using SSH as it should, it's trying to connect on port 23, which is telnet, not port 22 as it should. Thanks for the suggestion. Any other ideas??

Can you post a screenshot of the IDM page where you added the firewall as a blocking device? Have you ensured that you selected SSH as the transport protocol there?

Regards

Farrukh

IDM-1.jpg is the "Blocking Devices" section and

IDM-2.jpg is the SSH key section. THanks in advance.

Do the following:

> Regenerate the keys on the ASA, set it to modulus 1024 this time.

> Delete the key/blocking device in the sensor.

> Re-Add

> Check the sensor event log and ASA syslog for any errors. Make sure you check the box to see blocking/attack response events.

Regerds

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: