I am installing 2 asa ASA5510-AIP10SP-K9 in failover active standy mode.I know how to assign virtual sensors to ASA contexts in multiple mode (active/active failover).But i want it to be done in single mode (Active/standy failover).Any idea will be welcomed.
OK, now I understand what you are needing.
Most users only need the single default virtual sensor "vs0".
To get traffic from the ASA to be sent to the SSM for monitoring here are the most basic steps:
(Assumption is that you have already logged in previously and changed the password and gone through the "setup" steps to set the IP address, netmask, and other parameters on your sensor.)
1) Session into the AIP-SSM (or telnet or ssh) as the default user "cisco".
2) Add the AIP-SSM's backplane interface GigabitEthernet0/1 into the default virtual sensor "vs0" using these commands:
Answer Yes when prompted
NOTE: The above could also be done through the advanced setup command, or could be done through ASDM or IDM. To keep it simple I am just giving you the CLI commands.
3) Connect to the ASA CLI. If you are "sessioned" to the SSM, then an exit from your session will get you back to the ASA CLI. Otherwise connect through the ASA console or through an ssh or telnet to the ASA.
4) Configure the ASA to send traffic to the AIP-SSM.
To do this you would create an ACL to designate the traffic you want monitored. This ACL then gets used to create a class map. The class map is then added into a policy map. The policy map is then applied.
Here is a basic example of how you can get all traffic to be monitored promiscuously by the AIP-SSM:
access-list IPS permit ip any any
match access-list IPS
ips promiscuous fail-open
service-policy global_policy global
NOTE: The above will send all IP packets to the SSM for promiscuous monitoring. To change it to inline monitoring simply substitute "inline" instead of promiscuous in the ips configuration line.
NOTE2: The service-policy command is a reptition of the command that should already be in your default ASA configuration. So it will likely generate an error/warning letting you know that the policy is already applied.
IF you are not using the default configuration on the ASA, and instead have created your own policy, then you can use the steps above, but add the class to your own policy instead of the default "global_policy".
4) Repeat steps 1 and 2 on the SSM of your standby ASA.
The AIP-SSM configuration does NOT automatically get copied between the AIP-SSMs. So you need to do the configuration manually on both AIP-SSMs.
5) Login to you standby ASA and verify tha the configuration from step 3 is automatically copied to your standby ASA.
The above steps are in effect the step 4/5 in your original list.
Your AIP-SSM should now be monitoring traffic.
You can now proceed with step 6 from your original list.