Re: ASA SSM IP address

perrymichael · ‎10-03-2006

Does the Ip address on the SSM have to be on a seperate subnet from the other interfaces, while running in promiscous mode?

jwalker · ‎10-03-2006

It can be on any of the subnets you want... We have many across the US and put them on a DMZ with a static IP to a public address..

a.kiprawih · ‎10-03-2006

Hi,

You can assign any IP, but recommended is IP Address belongs to your Management Vlan or secure subnet (you can even assign unused IP belongs to inside interface segment).

This is because SSM is your IPS module, and you need to allow only trusted/authorized users to access it.

However, pls note that the SSM's default gateway must be in the same subnet as the sensor's IP address or the sensor will generate an error and not accept the configuration change.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008045a77c.html#wp1031325

Pls rate all useful post(s).

Cheers!

AK

perrymichael · ‎10-05-2006

Ok so the SSM acts like a server on the network, although it is a module in the ASA

mmorris11 · ‎10-05-2006

Bingo. The physical port on the AIP-SSM module is for management. The docs are very vaugue about this. THe sensing "port" is connected to the ASA via the blackplane.

HTH

a.kiprawih · ‎10-05-2006

Yes, it works almost the same like FWSM/IDSM modules in Cat6500, except for the physical management port.

Like mmorris11 said, everything works via backplane, except the mgt port.

Cheers!

Amrih

perrymichael · ‎10-06-2006

While setting up the sensor it requires a reboot, will this reboot the entire ASA or just the module itself.

a.kiprawih · ‎10-06-2006

Only the SSM, not the entire ASA.