Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
1
Replies

New to IDS - questions

IncomeTax
Level 1
Level 1

‎02-01-2012 02:18 AM - edited ‎03-10-2019 05:36 AM

I have an ASA 5510 which is configured and working fine.  I'm now tasked with configuing an SSM (remotely).

In the ASDM, when I click IPS I'm asked for the management port IP.  Is this the same management port IP used to configure the rest of the firewall or one pertaining just to the SSM?  If I enter the IP of the firewall management port then I get a username/password prompt.  I've tried cisco/cisco, blank/blank, cisco/blank, blank/cisco etc.  No joy.  It hasn't been used before.

The documentation says to plug one end of the yellow ethernet cable into the SSM and one to "your network device".  What network device? 

The documentation indicates that in ASDM, under Interfaces I should have 4GE SSM.  I don't.  I only have three ethernet ports and a management port. Does this mean that I don't have what I'm told I have, or that I have to do something else first.

Can it be configured from the ASDM?

Muchly confused.

Labels:
0 Helpful
1 Reply 1

clausonna
Level 3
Level 3

‎02-01-2012 04:42 AM

Hey Tony

Think of the SSM as having two interfaces: the first connects directly to ASA and is its inline sensing/monitoring port.  The other interface is its management interface, and needs to connect to "your network device" - i.e. most likely the switch that your ASA is connected to.  That IPS managment interface is a totally different IP address than what's on your ASA.  The IPS unit is effectively piggy-backing inside of the ASA for power and for the traffic that it needs to monitor.

That said, there is a back-door into the IPS from the ASA CLI, and that's how I would recommend boot-strapping the IPS unit.  SSH into your ASA, then do:

YOURASA# show module

Mod Card Type                                    Model              Serial No.

--- -------------------------------------------- ------------------ -----------

  0 ASA 5510 Adaptive Security Appliance         ASA5510           

  1 ASA 5500 Series Security Services Module-10  ASA-SSM-10        

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version    

--- --------------------------------- ------------ ------------ ---------------

  0                                              1.0          1.0(10)0     8.0(4)16

  1                                              1.0          1.0(10)0     7.0(6)E4

Mod SSM Application Name           Status           SSM Application Version

--- ------------------------------ ---------------- --------------------------

  1 IPS                            Up               7.0(6)E4

Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  0 Up Sys             Not Applicable        

  1 Up                 Up                    

Now do a "session 1" in order to get into the IPS unit (host name, managment IP address, default gateway etc).  Default should be cisco/cisco.  That IP address will need to be accessible via the switchport that you connect your yellow cable to.

After that, you'll need to configure a service-policy on the ASA (via ASDM) to 'send' traffic to that inline sensing/monitoring port.  You can either do that in IDS (passive-only) mode to start (recommended) and once you're comfortable, change that to IPS mode so you can start dropping traffic.

I suggest using IME (Cisco IPS Manager Express) for configuring the IPS unit.  Its free, supports up to 10 devices, and has better reporting and the same level of configuration.  If you're going to have more than 5 or 10 IPS units consider CSM (Cisco Security Manager) so you can do "group policy" and have a shared signature set for all devices.

Check out the ASA documentation first.  Start here:

http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html

(Please rate the comment if this has been helpful.)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card