Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11794
Views
10
Helpful
3
Replies

IPS Configuration in ASA

Go to solution
ocenetwork
Level 1
Level 1

‎07-31-2010 08:16 AM - edited ‎03-10-2019 05:04 AM

Hi All,

Kindly help me to configure IPS in ASA firewall.

1) How to divert the traffic to IPS

2) Getting alerts for attacks

3) how to read the signature

All the basic level configuration fo IPS required.

Regards,

M.K

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jtaliafe
Cisco Employee
Cisco Employee

‎07-31-2010 11:31 AM

M.K.

Below is a URL that covers the setup process of configuring the ASA to send traffic to the AIP-SSM module.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

Basically the commands from the ASA might look something like this is you wanted to send all the traffic to the AIP-SSM module for inspection and you wanted it to operate inline:

ciscoasa(config)#access-list traffic_for_ips permit ip any any
ciscoasa(config)#class-map ips_class_map
ciscoasa(config-cmap)#match access-list traffic_for_ips
ciscoasa(config)#policy-map global_policy
ciscoasa(config-pmap)#class ips_class_map
ciscoasa(config-pmap-c)#ips inline fail-open
cisocasa(config)# service-policy global_policy global

After the above is done you will need to session into the AIP-SSM module and run the setup command to get basic connectivity. Here is a link that covers this process:

http://www.cisco.com/en/US/docs/security/ips/6.2/installation/guide/hw_initializing.html#wp1233606

The command to session into the AIP-SSM is as follows:

session 1

Once you have the basic configuration setup you can then access the AIP-SSM via IDM by going to https://1.1.1.1. In this example replace the 1.1.1.1 with the IP address of the management interface that you configured under the "setup" command. You can also download and use IME (IPS Manager Express). IME is avaliable for download from Cisco with a valid CCO account. I would recommend to use IME as it has several advantages over IDM.

Once in IME you will need to associate the backplane interface with the virtual sensor. You can do this in IME by going to Configuration->Policies->IPS Policies and on the right had side next to "Add virtual Sensor" highlight vs0 and click edit. You can then assign the Gigabit Ethernet0/1 (Backplane Interface) to the virtual sensor. Click on Ok and then click on APPLY.

At this point you should be inspecting traffic.

With IME you can do some historical reporting and setup to be notified via email for certain events. Here is some additional information on IME:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5715/ps9610/data_sheet_c78-459033.html

To setup email notification from IME go to Tools->Preferences->Notification.

For any signatures that fire you can find additional details about the specific signatures from within IME by going to Configuration->Policies->Signature Definitions->Active Signatures and highlighting a signature and looking at the MySDM Explanation in the lower right of the IME screen. Alternatively you can also go to the following URL and lookup any specific signatures:

http://tools.cisco.com/security/center/home.x

There is also an "Initial Configuration of the AIP-SSM Sensor (Video)" in this suppport forum that you might find beneficial. Hopefully this URL will get you to it https://supportforums.cisco.com/docs/DOC-12233

I hope the above helps!

Thanks,

Justin T.

View solution in original post

3 Replies 3

Go to solution
jtaliafe
Cisco Employee
Cisco Employee

‎07-31-2010 11:31 AM

M.K.

Below is a URL that covers the setup process of configuring the ASA to send traffic to the AIP-SSM module.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

Basically the commands from the ASA might look something like this is you wanted to send all the traffic to the AIP-SSM module for inspection and you wanted it to operate inline:

ciscoasa(config)#access-list traffic_for_ips permit ip any any
ciscoasa(config)#class-map ips_class_map
ciscoasa(config-cmap)#match access-list traffic_for_ips
ciscoasa(config)#policy-map global_policy
ciscoasa(config-pmap)#class ips_class_map
ciscoasa(config-pmap-c)#ips inline fail-open
cisocasa(config)# service-policy global_policy global

After the above is done you will need to session into the AIP-SSM module and run the setup command to get basic connectivity. Here is a link that covers this process:

http://www.cisco.com/en/US/docs/security/ips/6.2/installation/guide/hw_initializing.html#wp1233606

The command to session into the AIP-SSM is as follows:

session 1

Once you have the basic configuration setup you can then access the AIP-SSM via IDM by going to https://1.1.1.1. In this example replace the 1.1.1.1 with the IP address of the management interface that you configured under the "setup" command. You can also download and use IME (IPS Manager Express). IME is avaliable for download from Cisco with a valid CCO account. I would recommend to use IME as it has several advantages over IDM.

Once in IME you will need to associate the backplane interface with the virtual sensor. You can do this in IME by going to Configuration->Policies->IPS Policies and on the right had side next to "Add virtual Sensor" highlight vs0 and click edit. You can then assign the Gigabit Ethernet0/1 (Backplane Interface) to the virtual sensor. Click on Ok and then click on APPLY.

At this point you should be inspecting traffic.

With IME you can do some historical reporting and setup to be notified via email for certain events. Here is some additional information on IME:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5715/ps9610/data_sheet_c78-459033.html

To setup email notification from IME go to Tools->Preferences->Notification.

For any signatures that fire you can find additional details about the specific signatures from within IME by going to Configuration->Policies->Signature Definitions->Active Signatures and highlighting a signature and looking at the MySDM Explanation in the lower right of the IME screen. Alternatively you can also go to the following URL and lookup any specific signatures:

http://tools.cisco.com/security/center/home.x

There is also an "Initial Configuration of the AIP-SSM Sensor (Video)" in this suppport forum that you might find beneficial. Hopefully this URL will get you to it https://supportforums.cisco.com/docs/DOC-12233

I hope the above helps!

Thanks,

Justin T.

Go to solution
tholmes
Level 1
Level 1
In response to jtaliafe

‎03-18-2013 07:22 AM

Excellent post - many thanks

Tony

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jtaliafe

‎03-19-2013 11:33 PM

Hello Justin,

What an amazing answer,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card