Need Help Setting up AIP SSM

Unanswered Question
Jun 29th, 2010

I am currently configuring an AIP SSM module on an ASA, and I would like to know which interface IP address should be used for the management interface.  Should it be the outside interface of the ASA or the inside interface of the ASA?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Tue, 06/29/2010 - 17:54

Majority of the times, you would be managing the module from your internal network, hence most people configure the management interface with ip address from the inside network.

Hope that helps.

rafrancis Tue, 06/29/2010 - 18:07

I also will be setting up the AIP SSM on two ASA's running Active/Standby, so I would like to know if I have to doing any configurations on the Standby.  Or when I saved the configuration on the Active, will the AIP SSM configuration replicate to the Standby ASA?

Jennifer Halim Tue, 06/29/2010 - 18:09

No, you would need to manually configure both AIP module as the failover configuration synchronization is only for the ASA, not for the module.

You would need to configure unique/different ip address for each of the AIP module.

Hope that helps.

rafrancis Tue, 06/29/2010 - 18:22

Is it best to setup the AIP SSM using the IME or just from co

mmand line?  Also, where can I get info on

how to use the IME to provision the AIP SSM on the ASA?

Jennifer Halim Tue, 06/29/2010 - 18:25

you won't be able to use IME to provision the AIP. Session into the module from the ASA, then run the "setup" command, and it will run you through the basic network connectivity setup. Once you have the ip address configured, you can use IME to manage the module.

rafrancis Tue, 06/29/2010 - 18:31

Is it possible to add the license and upgrade AIP SSM from the IME?  Or do those have to be done from the CLI?

rafrancis Tue, 06/29/2010 - 19:03

I really appreciate your answers.  But one last question,

please point me to where I can get the syntax to setup Auto Update.

rafrancis Wed, 06/30/2010 - 13:28

Please let me know how to configure the AIP SSM to monitor

Remote VPN Traffic.

Jennifer Halim Wed, 06/30/2010 - 19:12

When you configured the ASA to send the traffic towards the AIP module to be inspected, you can configure specific ACL for traffic that you would like to inspect, or otherwise, you can just configure "permit ip any any" ACL to inspect everything going through the ASA.


This Discussion