Hi I have question about ASA firewall. I have ASA 5520 (ASA PIX v7.0(2)) with SSM-20 (IPS v5.0(2)) module installed.
The gigabitethernet0/0 is named as Outside, and gigabitethernet0/1 is named as Inside for ASA5520. Also in the ASA I enable inline ips with these commands:
Ips inline fail-open
Service-policy ipspolicy interface outside
Asa5520# sh service-policy ips
IPS: mode inline, packet 88398248
In SSM-20 I ran setup, configured ip address, and allow host information.
ASDM into IPS and I assign GigabitEthernet0/1 (The only interface is available (shown) to be assign into vs0). Go to Interface in interface configuration, and enable interface Gi0/1 (only gi0/1 is available.). Go to Interface configuration and summary, it shows: Names - Giga0/1, Details Promiscuous, Assigned to Virtual Sensor vs0.
Now everything should be work and start logging the events into SSM-20. However, this is my problem; I only see the events with attacker come from inside of network but not outside interface. In other word, IPS only log the inside events but not outside interface. Is there anything that I mis-configured or not configured? I tried to add gi0/0 (Outside) into vs0 but failed because no interface available for gi0/0. The attached txt is show from ssm module. Many thanks for reading this conversation.
The documentation on this is quite poor unfortunately, something we're getting fixed. I'll provide a bit of detail and hopefully this'll help others in the same boat.
For a start, the Gig0/0 and Gig0/1 that you're seeing on the ASA and on the SSM are completely separate interfaces, don't get confused because they have the same name.
The Gig int's on the ASA are obviously the ones on the back of the module and used for inside/outside/dmz type interfaces for firewalling purposes.
The Gig0/0 int you're seeing on the SSM (when session'd or connected into the IPS) is the physical conector on th eback of the SSM module. It is used for command-control purposes only, not for sniffing or monitoring traffic. When you assign a management IP address to the SSM/IPS via the "setup" command it is this physical interface that you're referring to.
The Gig0/1 int you're seeing on the SSM ((when session'd or connected into the IPS) is a special internal backplane interface that is used to pass traffic between the ASA and the SSM/IPS. This is the only int that you can assign to the virtual-sensor vs0 because it is the only int on the SSM that is used for monitoring traffic.
If the ASA is set up in inline mode then all traffic is passed from the ASA to the Gig0/1 int of the SSM, inspected, then passed back out the Gig0/1 int back to the ASA for forwarding out one of its Gig interfaces.
Now going by your config you've correctly added Gig0/1 of the SSM into vs0, so that's about all you can do on the SSM side of things. I'm not sure what you mean by "only see events with attacker come from the inside". The ASA is definately passing traffic going by your "sho service-policy" output, so can you elaborate on what it is you're not seeing please?
Keep in mind that an IPS policy applied to an interface wil only inspect inbound traffic on that interface, so this may be what you're seeing. It is generally recomended to create a new class as you have doen and then just apply that class to the existing global service-policy, something like the following:
inspect dns maximum-length 512
class ipsclass <--- Add the class-map to the existing global_policy policy-map
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...