Assign virtual sensor to the ASA5510-AIP10SP-K9 SINGLE MODE

Answered Question
Jul 30th, 2009

Hello,

I am installing 2 asa ASA5510-AIP10SP-K9 in failover active standy mode.I know how to assign virtual sensors to ASA contexts in multiple mode (active/active failover).But i want it to be done in single mode (Active/standy failover).Any idea will be welcomed.

I have this problem too.
0 votes
Correct Answer by marcabal about 7 years 4 months ago

OK, now I understand what you are needing.

Most users only need the single default virtual sensor "vs0".

To get traffic from the ASA to be sent to the SSM for monitoring here are the most basic steps:

(Assumption is that you have already logged in previously and changed the password and gone through the "setup" steps to set the IP address, netmask, and other parameters on your sensor.)

1) Session into the AIP-SSM (or telnet or ssh) as the default user "cisco".

2) Add the AIP-SSM's backplane interface GigabitEthernet0/1 into the default virtual sensor "vs0" using these commands:

configure terminal

service analysis-engine

virtual-sensor vs0

phyiscal-interface GigabitEthernet0/1

exit

exit

Answer Yes when prompted

exit

NOTE: The above could also be done through the advanced setup command, or could be done through ASDM or IDM. To keep it simple I am just giving you the CLI commands.

3) Connect to the ASA CLI. If you are "sessioned" to the SSM, then an exit from your session will get you back to the ASA CLI. Otherwise connect through the ASA console or through an ssh or telnet to the ASA.

4) Configure the ASA to send traffic to the AIP-SSM.

To do this you would create an ACL to designate the traffic you want monitored. This ACL then gets used to create a class map. The class map is then added into a policy map. The policy map is then applied.

Here is a basic example of how you can get all traffic to be monitored promiscuously by the AIP-SSM:

conf t

access-list IPS permit ip any any

class-map my-ips-class

match access-list IPS

policy-map global_policy

class my-ips-class

ips promiscuous fail-open

service-policy global_policy global

NOTE: The above will send all IP packets to the SSM for promiscuous monitoring. To change it to inline monitoring simply substitute "inline" instead of promiscuous in the ips configuration line.

NOTE2: The service-policy command is a reptition of the command that should already be in your default ASA configuration. So it will likely generate an error/warning letting you know that the policy is already applied.

IF you are not using the default configuration on the ASA, and instead have created your own policy, then you can use the steps above, but add the class to your own policy instead of the default "global_policy".

4) Repeat steps 1 and 2 on the SSM of your standby ASA.

The AIP-SSM configuration does NOT automatically get copied between the AIP-SSMs. So you need to do the configuration manually on both AIP-SSMs.

5) Login to you standby ASA and verify tha the configuration from step 3 is automatically copied to your standby ASA.

The above steps are in effect the step 4/5 in your original list.

Your AIP-SSM should now be monitoring traffic.

You can now proceed with step 6 from your original list.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
rhermes Thu, 07/30/2009 - 06:23

I'm not following your design. If you have two AIP-SSM modules, one for each 5510, why would you need to make them virtual sensors?

If you allow each AIP-SSM module to watch the traffic passing through it's host ASA (in single sensor mode) it should work fine. The standby ASA's AIP-SSM module will not get any traffic untill there is a failover.

marcabal Thu, 07/30/2009 - 06:57

I assume you want to send some traffic to one virtual sensor, and other traffic to a second virtual sensor?

And the selection of traffic will be the same on both of the ASAs?

In failover you have to have almost the same configuration on both ASAs so the traffic selection to send to each virtual sensor has to be the same on both ASAs, and both SSMs must be configured with the same virtual sensors.

To do this you would create 2 access-lists. Then 2 class maps (each map using one of the access-lists).

Within the policy you would add both of the class maps.

Each class map would have it's own "ips" config line.

The key for sending to different virtual sensors is that at the end of the "ips" config line you can add a "sensor" keyword and follow it with the actual name of a virtual sensor.

The "ips" config command for each class would send to a different virtual sensor.

For an example refer to:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ips.html#wp1105739

And look at the second example.

kolawole1 Thu, 07/30/2009 - 07:16

No that is not what i want to do.I just need to configure the 2 asa with AIP-SSM in failover active/standy so that when the primary fails the secondary will take over, i have learnt that in order to configure aip-ssm one must go through these steps:

1. Log in to AIP-SSM.

2. Initialize AIP-SSM.

Run the setup command to initialize AIP-SSM.

3. Verify the AIP-SSM initialization.

4. If you have Cisco Adaptive Security Appliance Software 7.2.3 or later, configure multiple virtual

sensors.

5. If you have Cisco Adaptive Security Appliance Software 7.2 or earlier, configure adaptive security

appliance to send IPS traffic to AIP-SSM.

6. Perform other initial tasks, such as adding users, trusted hosts, and so forth.

7. Configure intrusion prevention.

8. Perform miscellaneous tasks to keep your AIP-SSM running smoothly.

9.Upgrade the IPS software with new signature updates and service packs.

10. Reimage AIP-SSM when needed.

Step 4 calls for creating multiple virtual sensors,my concern is how do i assign virtual sensor to the ASA in active/standy mode in order to achieve basic failover.

Thanks.

Correct Answer
marcabal Thu, 07/30/2009 - 08:08

OK, now I understand what you are needing.

Most users only need the single default virtual sensor "vs0".

To get traffic from the ASA to be sent to the SSM for monitoring here are the most basic steps:

(Assumption is that you have already logged in previously and changed the password and gone through the "setup" steps to set the IP address, netmask, and other parameters on your sensor.)

1) Session into the AIP-SSM (or telnet or ssh) as the default user "cisco".

2) Add the AIP-SSM's backplane interface GigabitEthernet0/1 into the default virtual sensor "vs0" using these commands:

configure terminal

service analysis-engine

virtual-sensor vs0

phyiscal-interface GigabitEthernet0/1

exit

exit

Answer Yes when prompted

exit

NOTE: The above could also be done through the advanced setup command, or could be done through ASDM or IDM. To keep it simple I am just giving you the CLI commands.

3) Connect to the ASA CLI. If you are "sessioned" to the SSM, then an exit from your session will get you back to the ASA CLI. Otherwise connect through the ASA console or through an ssh or telnet to the ASA.

4) Configure the ASA to send traffic to the AIP-SSM.

To do this you would create an ACL to designate the traffic you want monitored. This ACL then gets used to create a class map. The class map is then added into a policy map. The policy map is then applied.

Here is a basic example of how you can get all traffic to be monitored promiscuously by the AIP-SSM:

conf t

access-list IPS permit ip any any

class-map my-ips-class

match access-list IPS

policy-map global_policy

class my-ips-class

ips promiscuous fail-open

service-policy global_policy global

NOTE: The above will send all IP packets to the SSM for promiscuous monitoring. To change it to inline monitoring simply substitute "inline" instead of promiscuous in the ips configuration line.

NOTE2: The service-policy command is a reptition of the command that should already be in your default ASA configuration. So it will likely generate an error/warning letting you know that the policy is already applied.

IF you are not using the default configuration on the ASA, and instead have created your own policy, then you can use the steps above, but add the class to your own policy instead of the default "global_policy".

4) Repeat steps 1 and 2 on the SSM of your standby ASA.

The AIP-SSM configuration does NOT automatically get copied between the AIP-SSMs. So you need to do the configuration manually on both AIP-SSMs.

5) Login to you standby ASA and verify tha the configuration from step 3 is automatically copied to your standby ASA.

The above steps are in effect the step 4/5 in your original list.

Your AIP-SSM should now be monitoring traffic.

You can now proceed with step 6 from your original list.

Actions

This Discussion