Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

AIP-SSM on a 5520 routing question

Using the management interface for ASDM, how should I setup the AIP? Currently my M0/0 is 192.168.100.1, the AIP is 192.168.20.2, the inside G0/2 is 192.168.20.1.

The interfaces are all connected to a switch, with my management PC on Vlan 10, the M0/0 on Vlan 10, the switch has interface Vlan 10 192.168.100.3, and int vlan 4 192.168.1.254, the AIP and G0/2 are on Vlan 4. IP Routing is enabled on the switch. I cannot access the IPS management through ASDM this way. I Have tried it without IP Routing as well. What do I need to do in order to have full access to the IPS and ASA through the ASDM?

What is the preferred method to set this and the Trend Micro SSM-10? I have one of those also on the same setup, but with different addressing, the ASA for internet is 192.168.1.1, and the TM is 192.168.1.80, the M0/0 on that device is 192.168.100.2. I would prefer to access both devices off the management Vlan using ASDM or the web interface for the modules as needed.

3 REPLIES
Silver

Re: AIP-SSM on a 5520 routing question

To get this working, do the following..

create static translations for both of your SSM modules from the inside to the management network for access to the ssms

AIP

static (

TM

static (

allow access from the managment system to the ssms

access-list mgmt_in extended permit tcp any host 192.168.100.10 eq 443

access-list mgmt_in extended permit tcp any host 192.168.100.10 eq 22

access-list mgmt_in extended permit tcp any host 192.168.100.11 eq 443

access-list mgmt_in extended permit tcp any host 192.168.100.11 eq 22

access-group mgmt_in in interface management

allow managment access to the ASA from the mangement network

http enable

http 192.168.100.0 255.255.255.0 management

ssh 192.168.100.0 255.255.255.0 management

create ssh keys

crypto key zeroize rsa noconfirm

crypto key generate rsa usage-keys noconfirm

wr mem

** Please rate if this helps**

Community Member

Re: AIP-SSM on a 5520 routing question

I had reconfigured it after I found the documentation for ASDM 6.0. In there I found out that the interface is for management, and traffic flows through the backplane. I put the AIP and TM on the same subnet as the management interface and was able to pull it all up in ASDM, only drawback is no internet access for either module, so I think I will need to setup some way of natting as you described, hopefully that will work.

Just to test this out, I did as you described, switched the AIP IP to the 192.168.20.2 address and setup the static, and it didn't work, but I am just a tad confused, you show

Silver

Re: AIP-SSM on a 5520 routing question

Yes. The names in the static statement are the names you defined with the nameif command.

170
Views
0
Helpful
3
Replies
CreatePlease to create content