We have two of Cisco ASA 5540 with VPN licenses and would like to add the IPS to it i.e. ASA-SSM-AIP-20-K9 Hardware Module. I would like to know, if there is any License involved to get the IPS signatures installed and keep the IPS up to date. My question is Getting a Smartnet contract will do all the Magic.
Thanks for the quick response. Could you please give me the part code. Is it the same as that of CON-SNT-SMS-1 (which is nothing but the smartnet for the module) or is there a seperate license to be installed.
The contract number CON-SNT-SMS-1 is a smartnet contract for the SMS Tool, and not the ASA-SSM-AIP-20.
I am not even sure what the SMS Tool even is.
For the ASA-SSM-AIP-20 you will need to purchase a Cisco Service for IPS contract. The Cisco Service for IPS contract is a bundle of both SmartNET and Signature support together.
NOTE: Though there are some special Cisco Service for IPS contracts that are just for signature updates, but these are not available for general purpose.
They can only be purchased if the equivalent SmartNET support is already purchased through a Cisco reseller.
So then the question is which Cisco Service for IPS contract to purchase.
Most contracts will use the following name format:
The SUYY will change depending on the level of service.
SU1 is Next Business Day (and typically the cheapest contract)
SUO4 is Onsite 24X7X2 (onsite support almost any day of the year, and typically the most expensive contract)
The XXXX will change depending on the original part number in which the product was purchased.
If you purchased the ASA-SSM-AIP-20 as a spare (you already had the ASA to put it in), then you will purchase a contract JUST for the SSM itself. The assumption is you would already have a completely separate contract for the ASA you already owned.
The XXXX would be ASIP20K9
So the cheapest contract to buy would be:
If, however, you purchased the ASA-SSM-AIP-20 as part of an ASA bundle then it depends on which bundle you originally purchased. The single Cisco Service for IPS contract would wind up covering the equivalent of Smartnet for both the ASA and the SSM as well as Signatures for the SSM.
There are mutltiple different bundles that could have been purchased, and each bundle will have a different XXXX in the Cisco Service for IPS part number.
The ASA5510-AIP20SP-K9 uses AS1A2PK9
Resulting in CON-SU1-AS1A2PK9 as the contract part number.
The ASA5520-AIP20-K8 uses AS2A20K8.
Resulting in CON-SU1-AS2A20K8
If you know the exact part number you used for originally purchasing the ASA-SSM-AIP-20, then you shoudl be able to figure out the corresponsing Cisco Service for IPS contract you need to purchase.
If you don't know the part number you used in purchasing the module, then try contacting your Cisco sales rep, or partner representative from who you purchased the product.
Once you've purchased the Cisco Service for IPS contract, and you have gotten your SSM's serial number attached to the product (as well as the ASA's serial number if you bought it as a bundle), then you should be able to request a Signature Update license for your sensor.
In the mean time a Trial license is available for your sensor.
If you are running IPS version 6.1 or higher then find the "All IPS Hardware Platforms" link under the "Cisco Services for IPS trial license (Version 6.1 and later)" section (pay close attention to ensure you are in the "trial license" section.
Fill out the Product Id and Serial Number for your SSM-20.
Be carefull to enter the Product ID and Serial Number as you see it in "show version". The Product ID will likely NOT match the Part Number you used to buy the product. The Product ID is for the hardware itself and stays the same regardless of how you bought it. It must be exact in order for the license to work.
If you are running IPS version 6.0 or 5.1, then find the "Cisco ASA 5500 series AIP-SSM" under the "Cisco Services for IPS trial license (Version 6.0.x and earlier)" section.
Enter the serial number exactly as it is seen in the "show version" output of the sensor.
The Trial license will give you 60 days of Signature Updates while you try to work through the purchasing of your Cisco Service for IPS contract.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :