Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
792
Views
4
Helpful
4
Replies

AIP SSM-10 - How to Verify Traffic is being passed for inspection?

Go to solution
egua5261
Level 1
Level 1

‎06-11-2009 04:40 PM - edited ‎03-10-2019 04:39 AM

Hi There,

I have set up an AIP-SSM on our ASA5510 for the first time, following this excellent guide, http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml.

The difference between the environment used in the doco and ours are the specs of our ASA and module, which are the following, IOS version 8.0(4), ASDM version is 6.1(3), the SSM application version is 6.0(5)E2.

I have followed all the steps to enable connectivity to the module from ASDM, created the access list to allow all ip traffic to be passed to the module for inspection the class map and policy map indicating the mode promiscous, fail-open. The service policy is applied globally.

The problem i face is that when i try to verify as stated on the guide with the command show events alert on the module CLI i do not get any output, so i'm not sure if traffic is being passed to the module. Can someone plese help me clarifying this?

Regards,

Esteban

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎06-11-2009 08:45 PM

Execute "show conf" on your AIP SSM CLI. Verify that the GigabitEthernet0/1 backplane interface of the SSM has been assigned to virtual sensor vs0.

If it has not, then run "setup" and near the end of the setup wizard there will be an option to edit the interface and virtual sensor configuration. Use this option to modify the configuration for virtual sensor vs0 and in the interface.

You can also run "show stat virtual-sensor vs0" to see the counts of packets being analyzed by vs0.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎06-11-2009 08:45 PM

Execute "show conf" on your AIP SSM CLI. Verify that the GigabitEthernet0/1 backplane interface of the SSM has been assigned to virtual sensor vs0.

If it has not, then run "setup" and near the end of the setup wizard there will be an option to edit the interface and virtual sensor configuration. Use this option to modify the configuration for virtual sensor vs0 and in the interface.

You can also run "show stat virtual-sensor vs0" to see the counts of packets being analyzed by vs0.

0 Helpful

Go to solution
abinjola
Cisco Employee
Cisco Employee

‎06-11-2009 11:04 PM

In addition to what marco suggested also use the following command to see packet sent and received to the MODULE

show service-policy

Go to solution
egua5261
Level 1
Level 1
In response to abinjola

‎06-14-2009 07:06 PM

Guys,

Thanks a million to both of you. Great help.

Now that i can see the traffic going to the module, i'm wondering the best to test the module. Is there any tool that will allow me to test this IPS module?

Regards,

Esteban

0 Helpful

Go to solution
abinjola
Cisco Employee
Cisco Employee
In response to egua5261

‎06-14-2009 08:58 PM

well you may either run a test using traffic gen. simulators like Nmap or nesus

Alternatively you may either enable icmp signature 2051/2 and ping through the module, you will see alert generating for this thus confirming IPS functionality

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card