cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3724
Views
5
Helpful
4
Replies

Cisco ASA -5540 - IPS options

subra4u
Level 1
Level 1

Hi,

We have two of Cisco ASA 5540 with VPN licenses and would like to add the IPS to it i.e. ASA-SSM-AIP-20-K9 Hardware Module. I would like to know, if there is any License involved to get the IPS signatures installed and keep the IPS up to date. My question is Getting a Smartnet contract will do all the Magic.

Please post your valuable inputs.

Thanks in advance,

4 Replies 4

rhermes
Level 7
Level 7

Yes, you'll need a seperate IPS license for your AIP-SSM20 module in order to be able to apply the signature updates.

Hi,

Thanks for the quick response. Could you please give me the part code. Is it the same as that of CON-SNT-SMS-1 (which is nothing but the smartnet for the module) or is there a seperate license to be installed.

Thanks in advance,

The contract number CON-SNT-SMS-1 is a smartnet contract for the SMS Tool, and not the ASA-SSM-AIP-20.

I am not even sure what the SMS Tool even is.

For the ASA-SSM-AIP-20 you will need to purchase a Cisco Service for IPS contract. The Cisco Service for IPS contract is a bundle of both SmartNET and Signature support together.

NOTE: Though there are some special Cisco Service for IPS contracts that are just for signature updates, but these are not available for general purpose.

They can only be purchased if the equivalent SmartNET support is already purchased through a Cisco reseller.

So then the question is which Cisco Service for IPS contract to purchase.

Most contracts will use the following name format:

CON-SUYY-XXXX

The SUYY will change depending on the level of service.

For example:

SU1 is Next Business Day (and typically the cheapest contract)

SUO4 is Onsite 24X7X2 (onsite support almost any day of the year, and typically the most expensive contract)

The XXXX will change depending on the original part number in which the product was purchased.

If you purchased the ASA-SSM-AIP-20 as a spare (you already had the ASA to put it in), then you will purchase a contract JUST for the SSM itself. The assumption is you would already have a completely separate contract for the ASA you already owned.

The XXXX would be ASIP20K9

So the cheapest contract to buy would be:

CON-SU1-ASIP20K9

If, however, you purchased the ASA-SSM-AIP-20 as part of an ASA bundle then it depends on which bundle you originally purchased. The single Cisco Service for IPS contract would wind up covering the equivalent of Smartnet for both the ASA and the SSM as well as Signatures for the SSM.

There are mutltiple different bundles that could have been purchased, and each bundle will have a different XXXX in the Cisco Service for IPS part number.

For example:

The ASA5510-AIP20SP-K9 uses AS1A2PK9

Resulting in CON-SU1-AS1A2PK9 as the contract part number.

The ASA5520-AIP20-K8 uses AS2A20K8.

Resulting in CON-SU1-AS2A20K8

If you know the exact part number you used for originally purchasing the ASA-SSM-AIP-20, then you shoudl be able to figure out the corresponsing Cisco Service for IPS contract you need to purchase.

If you don't know the part number you used in purchasing the module, then try contacting your Cisco sales rep, or partner representative from who you purchased the product.

Once you've purchased the Cisco Service for IPS contract, and you have gotten your SSM's serial number attached to the product (as well as the ASA's serial number if you bought it as a bundle), then you should be able to request a Signature Update license for your sensor.

In the mean time a Trial license is available for your sensor.

Go to this website:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y

If you are running IPS version 6.1 or higher then find the "All IPS Hardware Platforms" link under the "Cisco Services for IPS trial license (Version 6.1 and later)" section (pay close attention to ensure you are in the "trial license" section.

Fill out the Product Id and Serial Number for your SSM-20.

Be carefull to enter the Product ID and Serial Number as you see it in "show version". The Product ID will likely NOT match the Part Number you used to buy the product. The Product ID is for the hardware itself and stays the same regardless of how you bought it. It must be exact in order for the license to work.

If you are running IPS version 6.0 or 5.1, then find the "Cisco ASA 5500 series AIP-SSM" under the "Cisco Services for IPS trial license (Version 6.0.x and earlier)" section.

Enter the serial number exactly as it is seen in the "show version" output of the sensor.

The Trial license will give you 60 days of Signature Updates while you try to work through the purchasing of your Cisco Service for IPS contract.

Hi,

I am in the progress of renewing/purchasing IPS subsciption for my customer, since it has expired few days ago.
However i am puzzled with the options given on the Configuration tool.

Option 1
CON-SU1-ASAINC10  IPS SVC, AR NBD AIP SSM-10 included in ASA systems      USD 0
CON-SU1-AS1A10K9  IPS SVC, AR NBD ASA5510 w/ AIP-SSM-10, 3 FE, 3DES/AES

Option 2
SP-SFA1-ASAINC10 IPS-SP SVC, AR NBD AIP SSM-10 included in ASA systems      USD 0     
IPS-SP SVC, AR NBD ASA5510 w/ AIP-SSM-10, 3 FE, 3DES/AES

May i know what option 2 is? IPS-SP. The difference between the both.

Pleae advise

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: