×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

New to IDS - questions

Unanswered Question
Feb 1st, 2012
User Badges:

I have an ASA 5510 which is configured and working fine.  I'm now tasked with configuing an SSM (remotely).


In the ASDM, when I click IPS I'm asked for the management port IP.  Is this the same management port IP used to configure the rest of the firewall or one pertaining just to the SSM?  If I enter the IP of the firewall management port then I get a username/password prompt.  I've tried cisco/cisco, blank/blank, cisco/blank, blank/cisco etc.  No joy.  It hasn't been used before.


The documentation says to plug one end of the yellow ethernet cable into the SSM and one to "your network device".  What network device? 


The documentation indicates that in ASDM, under Interfaces I should have 4GE SSM.  I don't.  I only have three ethernet ports and a management port. Does this mean that I don't have what I'm told I have, or that I have to do something else first.


Can it be configured from the ASDM?


Muchly confused.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
clausonna Wed, 02/01/2012 - 04:42
User Badges:
  • Bronze, 100 points or more

Hey Tony


Think of the SSM as having two interfaces: the first connects directly to ASA and is its inline sensing/monitoring port.  The other interface is its management interface, and needs to connect to "your network device" - i.e. most likely the switch that your ASA is connected to.  That IPS managment interface is a totally different IP address than what's on your ASA.  The IPS unit is effectively piggy-backing inside of the ASA for power and for the traffic that it needs to monitor.


That said, there is a back-door into the IPS from the ASA CLI, and that's how I would recommend boot-strapping the IPS unit.  SSH into your ASA, then do:


YOURASA# show module


Mod Card Type                                    Model              Serial No.

--- -------------------------------------------- ------------------ -----------

  0 ASA 5510 Adaptive Security Appliance         ASA5510           

  1 ASA 5500 Series Security Services Module-10  ASA-SSM-10        


Mod MAC Address Range                 Hw Version   Fw Version   Sw Version    

--- --------------------------------- ------------ ------------ ---------------

  0                                              1.0          1.0(10)0     8.0(4)16

  1                                              1.0          1.0(10)0     7.0(6)E4


Mod SSM Application Name           Status           SSM Application Version

--- ------------------------------ ---------------- --------------------------

  1 IPS                            Up               7.0(6)E4


Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  0 Up Sys             Not Applicable        

  1 Up                 Up                    



Now do a "session 1" in order to get into the IPS unit (host name, managment IP address, default gateway etc).  Default should be cisco/cisco.  That IP address will need to be accessible via the switchport that you connect your yellow cable to.


After that, you'll need to configure a service-policy on the ASA (via ASDM) to 'send' traffic to that inline sensing/monitoring port.  You can either do that in IDS (passive-only) mode to start (recommended) and once you're comfortable, change that to IPS mode so you can start dropping traffic.


I suggest using IME (Cisco IPS Manager Express) for configuring the IPS unit.  Its free, supports up to 10 devices, and has better reporting and the same level of configuration.  If you're going to have more than 5 or 10 IPS units consider CSM (Cisco Security Manager) so you can do "group policy" and have a shared signature set for all devices.


Check out the ASA documentation first.  Start here:

http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html


(Please rate the comment if this has been helpful.)

Actions

This Discussion