Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3931
Views
0
Helpful
12
Replies

AIP-SSM Int gig0/0

Go to solution
pmccubbin
Level 5
Level 5

‎10-23-2009 08:35 PM - edited ‎03-10-2019 04:48 AM

Looking for an explanation of the gig0/0 interface in the AIP-SSM-20. The ASA runs 8.2 and the IPS runs 6.2.

The documentation I'm reading doesn't mention it all. I want a management interface separate from the default connection between the ASA and the ips module.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tanveer Deewan
Cisco Employee
Cisco Employee
In response to pmccubbin

‎10-27-2009 06:43 AM

M0/0 is the only interface you would configure IP address on. That would be used for the management traffic.

You do not configure any IP on G0/0 or G0/1 as the traffic that is to be inspected flows from the ASA to the module internally. You just define the policy-map on ASA to identify the traffic that flows to the module for inspection.

Check this link for details:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Tanveer Deewan
Cisco Employee
Cisco Employee

‎10-24-2009 04:52 PM

Please describe the issue in detail.

Here's a link that may help.

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_initializing.html#wp1286695

0 Helpful

Go to solution
pmccubbin
Level 5
Level 5
In response to Tanveer Deewan

‎10-25-2009 11:15 AM

Thanks for the reply.

This is for an AIP-SSM-20.

The Management interface for the module has what designation, gig0/0?

This IP address is different from the backplane default being used by the module to communicate with the ASA, correct?

The management interface is accesses via a physical port on the module itself, correct?

This same physical interface on the module is the reporting ip address being used when adding the sensor to MARS, correct?

0 Helpful

Go to solution
Tanveer Deewan
Cisco Employee
Cisco Employee
In response to pmccubbin

‎10-26-2009 04:58 AM

GigabitEthernet0/1

Yes, the IP address is different. The physical port G0/1 is only used for management. The IP on the G0/1 of the module may be in the same subnet as the mangement interface of the ASA. Also you need to define a default gateway for the module. Whatever IP you configure for G0/1, would be used by MARS.

0 Helpful

Go to solution
pmccubbin
Level 5
Level 5
In response to Tanveer Deewan

‎10-27-2009 06:00 AM

Hi Tanveer,

Thanks for the detailed response.

I believe that I was confusing the different modules.

Here is one last question from the setup command and the advanced configuration:

Management0/0 and gigabit 0/1 are given different IP addresses, correct? We want to use a same management vlan used by all networking devices. Does the gig0/1 have a different ip and is it the interface which connects to the ASA over the backplane?

Modify interface/virtual sensor configuration?[no]: yes

Current interface configuration

Command control: Management0/0

Unassigned:

Monitored:

GigabitEthernet0/1

Thank you in advance!

0 Helpful

Go to solution
pmccubbin
Level 5
Level 5
In response to Tanveer Deewan

‎10-27-2009 06:01 AM

Hi Tanveer,

Thanks for the detailed response.

I believe that I was confusing the different modules.

Here is one last question from the setup command and the advanced configuration:

Management0/0 and gigabit 0/1 are given different IP addresses, correct? We want to use a same management vlan used by all networking devices. Does the gig0/1 have a different ip and is it the interface which connects to the ASA over the backplane?

Modify interface/virtual sensor configuration?[no]: yes

Current interface configuration

Command control: Management0/0

Unassigned:

Monitored:

GigabitEthernet0/1

Thank you in advance!

0 Helpful

Go to solution
Tanveer Deewan
Cisco Employee
Cisco Employee
In response to pmccubbin

‎10-27-2009 06:43 AM

M0/0 is the only interface you would configure IP address on. That would be used for the management traffic.

You do not configure any IP on G0/0 or G0/1 as the traffic that is to be inspected flows from the ASA to the module internally. You just define the policy-map on ASA to identify the traffic that flows to the module for inspection.

Check this link for details:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

0 Helpful

Go to solution
yugandharm
Level 1
Level 1
In response to Tanveer Deewan

‎11-20-2009 10:48 PM

Hi Tanveer,

this is Yugandhar.

we are also having same confusion. if we assign management IP to Cisco ASA and IPS what will be the Gateway? becuase we are using different network in LAN. correct? we are having VLAN and DMZ environment. can you please explain clearly about physical connection? because we configured ASA and AIP-SSM-20 but we are not able to see any traffic. please help me on this.

please find attached sensor configuration also

Regards,

Yugandhar. M

35870-IPS Config19112009.txt.zip
0 Helpful

Go to solution
yugandharm
Level 1
Level 1
In response to yugandharm

‎11-20-2009 10:49 PM

Hi Tanveer,

we did not configure any management IP on Management interface.

Regards,

Yugandhar. M

0 Helpful

Go to solution
yugandharm
Level 1
Level 1
In response to yugandharm

‎11-20-2009 10:50 PM

Hi Tanveer,

we did not configure any management IP on Management interface on Cisco ASA 5510

Regards,

Yugandhar. M

0 Helpful

Go to solution
Tanveer Deewan
Cisco Employee
Cisco Employee
In response to yugandharm

‎11-26-2009 04:52 PM

The traffic that the ASA forwards to the AIP-SSM module for inspection is sent internally and does not use the management interface. The management interface is only to monitor/manage the module.

0 Helpful

Go to solution
yugandharm
Level 1
Level 1
In response to Tanveer Deewan

‎11-26-2009 10:29 PM

Thanq Tanveer.

i was connected Mangaement interface to my local LAN to access the Sensor and assigned sensor IP address as 192.168.1.87/24, and accessing AIP-SSM through ASDM using this IP only but i am able to send the traffic to AIP-SSM.

One more question tanveer. i am able to send the traffic to AIP-SSM because of service policy written in ASA. then i tried to block Yahoo HTTP-Proxy chat by using IPS signature. it is showing denied message in event viewer but it is not blocking. please help me on this. please find attached screenshot also

Regards,

Yugandhar. M

650 KB
0 Helpful

Go to solution
Tanveer Deewan
Cisco Employee
Cisco Employee
In response to yugandharm

‎11-27-2009 07:58 AM

Once you identify the signature and its ID number, you will need to Edit the signature and choose the drop action. The default action may be to produce alert only.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card