I have an ASA 5510 which is configured and working fine. I'm now tasked with configuing an SSM (remotely).
In the ASDM, when I click IPS I'm asked for the management port IP. Is this the same management port IP used to configure the rest of the firewall or one pertaining just to the SSM? If I enter the IP of the firewall management port then I get a username/password prompt. I've tried cisco/cisco, blank/blank, cisco/blank, blank/cisco etc. No joy. It hasn't been used before.
The documentation says to plug one end of the yellow ethernet cable into the SSM and one to "your network device". What network device?
The documentation indicates that in ASDM, under Interfaces I should have 4GE SSM. I don't. I only have three ethernet ports and a management port. Does this mean that I don't have what I'm told I have, or that I have to do something else first.
Think of the SSM as having two interfaces: the first connects directly to ASA and is its inline sensing/monitoring port. The other interface is its management interface, and needs to connect to "your network device" - i.e. most likely the switch that your ASA is connected to. That IPS managment interface is a totally different IP address than what's on your ASA. The IPS unit is effectively piggy-backing inside of the ASA for power and for the traffic that it needs to monitor.
That said, there is a back-door into the IPS from the ASA CLI, and that's how I would recommend boot-strapping the IPS unit. SSH into your ASA, then do:
Now do a "session 1" in order to get into the IPS unit (host name, managment IP address, default gateway etc). Default should be cisco/cisco. That IP address will need to be accessible via the switchport that you connect your yellow cable to.
After that, you'll need to configure a service-policy on the ASA (via ASDM) to 'send' traffic to that inline sensing/monitoring port. You can either do that in IDS (passive-only) mode to start (recommended) and once you're comfortable, change that to IPS mode so you can start dropping traffic.
I suggest using IME (Cisco IPS Manager Express) for configuring the IPS unit. Its free, supports up to 10 devices, and has better reporting and the same level of configuration. If you're going to have more than 5 or 10 IPS units consider CSM (Cisco Security Manager) so you can do "group policy" and have a shared signature set for all devices.
Check out the ASA documentation first. Start here:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :