Using ASA5510 AIP-SSM in IDS mode

Unanswered Question
Apr 29th, 2010
User Badges:


I' ve a Cisco ASA5510 with  AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,

without the traffic passing through the Firewall.

I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit  all the traffic to the  Sensor but it doesn't work, no packet recived on sensor.

somebody can help me?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 04/29/2010 - 07:57
User Badges:
  • Green, 3000 points or more


When you have the AIP-SSM card on the ASA, you can configure it to operate in promiscuous (IDS) or in-line (IPS) mode.

To be able to use any more, traffic should flow through the ASA.

The difference is that when operating in IDS mode, only a copy of the packet is sent to the card.

When operating in IPS mode, the traffic is sent through the card, allowing the IPS module to be in the path of the traffic.

Please check the information:


rhermes Thu, 04/29/2010 - 09:16
User Badges:
  • Gold, 750 points or more

Unfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.

The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).

The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.

It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.

- Bob


This Discussion