Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA SSM IPS not monitoring WAN or alerting on NMAP scans or any attacks


My client has a ASA5520 with a SSM IPS module. I never worked with the IPS module and have been asked to set this up. I upgraded the IPS to 6.0x and IPS signatures (S266), but I do not see any alerts or blocks from the IPS. I have run NMAP scans against the IPS management IP and the internal ASA IP, with nothing being detected. Also I notice d that in the ASDM the internal interface is being monitored, but not the outside WAN link, which I want to monitor as well.

The versions are as follows:

ASA 5520 with 7.2(2) and ASDM 5.2(2)

SSM IPS with 6.0(1)E1 with IPS S266 signatures

Any ideas or links while I google?

Cisco Employee

Re: ASA SSM IPS not monitoring WAN or alerting on NMAP scans or

Hi Chris,

AIP SSM module will only inspect the traffic that was sent from the ASA. This means any traffic that goes 'through' the ASA.

First, your AIP Module's Command and Control Interface. This is a separate interface that is external to ASA. (even though it is physically in same box). So unless attack goes through the ASA to reach this interface, AIP module will not be able to inspect any traffic to the command and control interface.

Also, if the traffic was directed to the ASA's internal interface IP, then it will not be sent to the AIP module. (since this is not 'through traffic') This includes any attacks made to the firewall interface. (inside or outside) You need to see the ASA's log for the attack to the ASA itself.

To monitor all the traffic that goes in and out of the ASA, please apply the policy map to global intead of a specific interface. You can have multiple classes in one policy map.

Thank you.


Community Member

Re: ASA SSM IPS not monitoring WAN or alerting on NMAP scans or

Sounds like you are not routing the traffic through the AIP SSM. You need to add the policy map.

Take a look at this link.

In order for the AIP SSM to detect attacks you have to put it in inline mode so it begins to look at the traffic passing through the ASA. Remember the SSMs will only see traffic that goes through the ASA. If you want to see intra VLAN traffic on the inside of your network you will need to get a separate device.

CreatePlease to create content