ASA SSM-20 is not working as expected

Unanswered Question
Nov 6th, 2009

Dear Forum,

we have an ASA 5510 with an IPS Module SSM20. When i penetrate the ASA with NMAP from the outside interface i can detect the OS of the servers in the DMZ.

When i allow the ip address of my testing machine on the outside interface the IPS is logging some TCP SYN PORT SWEEPS but not the NMAPFingerprint Event.

Thanks for your advises


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bnidacoc Tue, 11/10/2009 - 10:53

It is my understanding that the IPS modules analyze packets permitted to traverse through the host ASA. If your ASA ACL only allows TCP 80 and 443, then it might not look like a sweep to the IPS module's rule. The SSM IPS does not see that which is stopped by the ASA.

Now, if you built a server, placed it in a new/separate (no access from outside) DMZ and permitted an inside host ip any any and then ran a sweep, see if it fires then.


This Discussion