I am currently configuring an AIP SSM module on an ASA, and I would like to know which interface IP address should be used for the management interface. Should it be the outside interface of the ASA or the inside interface of the ASA?
Majority of the times, you would be managing the module from your internal network, hence most people configure the management interface with ip address from the inside network.
Hope that helps.
I also will be setting up the AIP SSM on two ASA's running Active/Standby, so I would like to know if I have to doing any configurations on the Standby. Or when I saved the configuration on the Active, will the AIP SSM configuration replicate to the Standby ASA?
No, you would need to manually configure both AIP module as the failover configuration synchronization is only for the ASA, not for the module.
You would need to configure unique/different ip address for each of the AIP module.
Hope that helps.
Is it best to setup the AIP SSM using the IME or just from co
mmand line? Also, where can I get info on
how to use the IME to provision the AIP SSM on the ASA?
you won't be able to use IME to provision the AIP. Session into the module from the ASA, then run the "setup" command, and it will run you through the basic network connectivity setup. Once you have the ip address configured, you can use IME to manage the module.
License and upgrade can be done through IME.
Here is the documentation guide for IME for your reference:
Here is the Auto Update configuration guide:
When you configured the ASA to send the traffic towards the AIP module to be inspected, you can configure specific ACL for traffic that you would like to inspect, or otherwise, you can just configure "permit ip any any" ACL to inspect everything going through the ASA.