Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1018
Views
0
Helpful
3
Replies

Using many sensor on AIP-SSM 20

nguyenthinh
Level 1
Level 1

‎05-18-2010 09:27 AM - edited ‎03-10-2019 05:00 AM

I have an ASA 5540 with AIP-SSM20. I use Gi0/0 for DMZ1 and Gi0/1 for DMZ2, then I create two virtual sensor: vs0 and Vs1. Could I use policy-map to force vs0 to protect servers in DMZ1 and vs1 to protect servers in DMZ2?

Thank every one alot ! 

Labels:
0 Helpful
3 Replies 3

Diego Armando Cambronero Arias
Level 3
Level 3

‎05-18-2010 10:20 AM

Hello,

Yes you can do that. Just create 2 ACL to match the traffic that you want to monitor.

Here is the link to configure the AIP-SSM

http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSSM.html#wp1033926

Check this out

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml#c4

ciscoasa#configure terminal
ciscoasa(config)#access-list traffic_for_ips deny ip 10.2.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
ciscoasa(config)#access-list traffic_for_ips permit ip any 192.168.1.0 255.255.255.0 
ciscoasa(config)#access-list traffic_for_ips deny ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0 
ciscoasa(config)#access-list traffic_for_ips permit ip 192.168.1.0 255.255.255.0 any 
ciscoasa(config)#class-map ips_class_map 
ciscoasa(config-cmap)#match access-list traffic_for_ips
ciscoasa(config)#policy-map interface_policy
ciscoasa(config-pmap)#class ips_class_map
ciscoasa(config-pmap-c)#ips inline fail-open 
ciscoasa(config)#service-policy interface_policy interface dmz

Apply the Service policy in the DMZ1 and in the DMZ2
Of course the ACL are doing to be different.
I think that in the command 
ciscoasa(config-pmap-c)#ips inline fail-open
you can specify the VS0 or VS1
check this with the interrogation key (?)
Hope it helps.

0 Helpful

nguyenthinh
Level 1
Level 1
In response to Diego Armando Cambronero Arias

‎05-18-2010 07:22 PM

Thank for your kindly reply!

I still have an unclear thing. I create two virtual sensors but ASA and AIP-SSM just have one backplane interface Gi0/1; how can I map one interface to two virtual sensors?

0 Helpful

Scott Fringer
Cisco Employee
Cisco Employee
In response to nguyenthinh

‎05-19-2010 05:02 AM

Please reference the following link for more specifics on assigning multiple virtual sensors within the ASA;

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html

The traffic across the backplane is tagged so that it is accepted by the correct VS once it reaches the AIP-SSM for inspection.


Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card