Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
5
Helpful
3
Replies

ASA5520 with SSM-20 IPS question..

nowcom
Level 1
Level 1

‎12-13-2005 01:41 PM - last edited on ‎03-25-2019 05:06 PM by Community Manager

Hi I have question about ASA firewall. I have ASA 5520 (ASA PIX v7.0(2)) with SSM-20 (IPS v5.0(2)) module installed.

The gigabitethernet0/0 is named as Outside, and gigabitethernet0/1 is named as Inside for ASA5520. Also in the ASA I enable inline ips with these commands:

Class-map ipsclass

Match any

Policy-map ipspolicy

Class ipsclass

Ips inline fail-open

Service-policy ipspolicy interface outside

*************************************

Asa5520# sh service-policy ips

Interface Outside:

Service-policy: ipspolicy

Class-map: ipsclass

IPS: mode inline, packet 88398248

In SSM-20 I ran setup, configured ip address, and allow host information.

ASDM into IPS and I assign GigabitEthernet0/1 (The only interface is available (shown) to be assign into vs0). Go to Interface in interface configuration, and enable interface Gi0/1 (only gi0/1 is available.). Go to Interface configuration and summary, it shows: Names - Giga0/1, Details – Promiscuous, Assigned to Virtual Sensor – vs0.

Now everything should be work and start logging the events into SSM-20. However, this is my problem; I only see the events with attacker come from inside of network but not outside interface. In other word, IPS only log the inside events but not outside interface. Is there anything that I mis-configured or not configured? I tried to add gi0/0 (Outside) into vs0 but failed because no interface available for gi0/0. The attached txt is show from ssm module. Many thanks for reading this conversation.

Best regards,

N

Labels:
Preview file
5 KB
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎12-13-2005 07:20 PM

The documentation on this is quite poor unfortunately, something we're getting fixed. I'll provide a bit of detail and hopefully this'll help others in the same boat.

For a start, the Gig0/0 and Gig0/1 that you're seeing on the ASA and on the SSM are completely separate interfaces, don't get confused because they have the same name.

The Gig int's on the ASA are obviously the ones on the back of the module and used for inside/outside/dmz type interfaces for firewalling purposes.

The Gig0/0 int you're seeing on the SSM (when session'd or connected into the IPS) is the physical conector on th eback of the SSM module. It is used for command-control purposes only, not for sniffing or monitoring traffic. When you assign a management IP address to the SSM/IPS via the "setup" command it is this physical interface that you're referring to.

The Gig0/1 int you're seeing on the SSM ((when session'd or connected into the IPS) is a special internal backplane interface that is used to pass traffic between the ASA and the SSM/IPS. This is the only int that you can assign to the virtual-sensor vs0 because it is the only int on the SSM that is used for monitoring traffic.

If the ASA is set up in inline mode then all traffic is passed from the ASA to the Gig0/1 int of the SSM, inspected, then passed back out the Gig0/1 int back to the ASA for forwarding out one of its Gig interfaces.

Now going by your config you've correctly added Gig0/1 of the SSM into vs0, so that's about all you can do on the SSM side of things. I'm not sure what you mean by "only see events with attacker come from the inside". The ASA is definately passing traffic going by your "sho service-policy" output, so can you elaborate on what it is you're not seeing please?

Keep in mind that an IPS policy applied to an interface wil only inspect inbound traffic on that interface, so this may be what you're seeing. It is generally recomended to create a new class as you have doen and then just apply that class to the existing global service-policy, something like the following:

class-map ipsclass

  match any

class-map inspection_default

  match default-inspection-traffic

!

policy-map global_policy

  class inspection_default

    inspect dns maximum-length 512

    inspect ftp

    .....

    inspect netbios

    inspect tftp

  class ipsclass <--- Add the class-map to the existing global_policy policy-map

    ips inline fail-open

!

service-policy global_policy global

Try that and see if that resolves your problem.

nowcom
Level 1
Level 1
In response to gfullage

‎12-14-2005 03:55 PM

Thanks for promptly reply. Almost all of events logs in the SSM are showing with my Inside IP address as source address.

Such as:

participants:

attacker:

addr: 10.2.11.28 locality=OUT

port: 1233

target:

addr: 216.155.193.155 locality=OUT

port: 25

Later, I will add the ipsclass into global_policy instead just outside interface and see if I getting more event logs. Also is there any IEV or similar for SSM-20 (IPSv5.0) available to use?

Best regards,

N

0 Helpful

nowcom
Level 1
Level 1
In response to nowcom

‎12-15-2005 03:15 PM

Thanks! It works; I am getting more outside logs now. Also is there any a client tool or IEV for IPS v.5 available? Or only able to view through ASDM IPS?

Thanks,

N

0 Helpful
Customers Also Viewed These Support Documents