ASA SSM IPS not monitoring WAN or alerting on NMAP scans or any attacks
My client has a ASA5520 with a SSM IPS module. I never worked with the IPS module and have been asked to set this up. I upgraded the IPS to 6.0x and IPS signatures (S266), but I do not see any alerts or blocks from the IPS. I have run NMAP scans against the IPS management IP and the internal ASA IP, with nothing being detected. Also I notice d that in the ASDM the internal interface is being monitored, but not the outside WAN link, which I want to monitor as well.
Re: ASA SSM IPS not monitoring WAN or alerting on NMAP scans or
AIP SSM module will only inspect the traffic that was sent from the ASA. This means any traffic that goes 'through' the ASA.
First, your AIP Module's Command and Control Interface. This is a separate interface that is external to ASA. (even though it is physically in same box). So unless attack goes through the ASA to reach this interface, AIP module will not be able to inspect any traffic to the command and control interface.
Also, if the traffic was directed to the ASA's internal interface IP, then it will not be sent to the AIP module. (since this is not 'through traffic') This includes any attacks made to the firewall interface. (inside or outside) You need to see the ASA's log for the attack to the ASA itself.
To monitor all the traffic that goes in and out of the ASA, please apply the policy map to global intead of a specific interface. You can have multiple classes in one policy map.
In order for the AIP SSM to detect attacks you have to put it in inline mode so it begins to look at the traffic passing through the ASA. Remember the SSMs will only see traffic that goes through the ASA. If you want to see intra VLAN traffic on the inside of your network you will need to get a separate device.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...