Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issue Getting AIP-SSM to Scan Traffic

Hi Everyone,

I am very new to working with these devices but am looking for some help in getting the AIP-SSM10 to scan FTP traffic that passes the FW. I have generated the traffic (FTP) and it has been successful, but it doesnt seem to go via the IDS as I get "no processed packets",

Can anyone tell me if I am missing anything? Would be great if someone could help and thanks in advance,


This is my config:

class-map inspection-AIP-SSM-Cmap
match access-list AIP-SSM
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map inspection-AIP-SSM-Pmap
class inspection-AIP-SSM-Cmap
  ips inline fail-close
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
service-policy inspection-AIP-SSM-Pmap interface Process1
service-policy inspection-AIP-SSM-Pmap interface Process2
service-policy inspection-AIP-SSM-Pmap interface Process3
service-policy inspection-AIP-SSM-Pmap interface Information
service-policy inspection-AIP-SSM-Pmap interface Supervisory
service-policy inspection-AIP-SSM-Pmap interface NMS
service-policy inspection-AIP-SSM-Pmap interface Remote-Access
service-policy inspection-AIP-SSM-Pmap interface Outside
prompt hostname context

access-list AIP-SSM; 2 elements; name hash: 0x32415518
access-list AIP-SSM line 1 remark ###ACL for Diverting Traffic to AIP-SSM###
access-list AIP-SSM line 2 extended permit tcp host host eq ftp (hitcnt=6) 0xc2d99a28
access-list AIP-SSM line 3 extended permit ip any any (hitcnt=40488) 0x2972bc2a


Issue Getting AIP-SSM to Scan Traffic

Have you assigned the interface to virtual-sensor yet ?

Try a packet display on SSM, does it show anything.

You may want to refer to following guide for detailed config.

Hope this helps.


Sawan Gupta

Thanks & Regards, Sawan Gupta
CreatePlease login to create content