Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
2
Replies

ASA SSM IPS not monitoring WAN or alerting on NMAP scans or any attacks

cisco80211
Level 1
Level 1

‎01-19-2007 06:51 PM - edited ‎03-10-2019 03:25 AM

Hello,

My client has a ASA5520 with a SSM IPS module. I never worked with the IPS module and have been asked to set this up. I upgraded the IPS to 6.0x and IPS signatures (S266), but I do not see any alerts or blocks from the IPS. I have run NMAP scans against the IPS management IP and the internal ASA IP, with nothing being detected. Also I notice d that in the ASDM the internal interface is being monitored, but not the outside WAN link, which I want to monitor as well.

The versions are as follows:

ASA 5520 with 7.2(2) and ASDM 5.2(2)

SSM IPS with 6.0(1)E1 with IPS S266 signatures

Any ideas or links while I google?

chris@chrisserafin.com

Labels:
0 Helpful
2 Replies 2

edwakim
Cisco Employee
Cisco Employee

‎01-23-2007 05:48 PM

Hi Chris,

AIP SSM module will only inspect the traffic that was sent from the ASA. This means any traffic that goes 'through' the ASA.

First, your AIP Module's Command and Control Interface. This is a separate interface that is external to ASA. (even though it is physically in same box). So unless attack goes through the ASA to reach this interface, AIP module will not be able to inspect any traffic to the command and control interface.

Also, if the traffic was directed to the ASA's internal interface IP, then it will not be sent to the AIP module. (since this is not 'through traffic') This includes any attacks made to the firewall interface. (inside or outside) You need to see the ASA's log for the attack to the ASA itself.

To monitor all the traffic that goes in and out of the ASA, please apply the policy map to global intead of a specific interface. You can have multiple classes in one policy map.

Thank you.

Edward

0 Helpful

tim.weid
Level 1
Level 1

‎01-31-2007 02:44 PM

Sounds like you are not routing the traffic through the AIP SSM. You need to add the policy map.

Take a look at this link.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df98.html

In order for the AIP SSM to detect attacks you have to put it in inline mode so it begins to look at the traffic passing through the ASA. Remember the SSMs will only see traffic that goes through the ASA. If you want to see intra VLAN traffic on the inside of your network you will need to get a separate device.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card