Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to configure the adaptive security appliance to support an AIP SSM (IPS)

What is IPS?

An IPS has all the features of a good IDS, but can also stop malicious traffic from invading the enterprise. Unlike an IDS, an IPS sits inline with traffic flows on a network, actively shutting down attempted attacks as they're sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack, by blocking access to the target from the user account, IP address, or other attribute associated with that attacker, or by blocking all access to the targeted host, service, or application.

In addition, an IPS can respond to a detected threat in two other ways. It can reconfigure other security controls, such as a firewall or router, to block an attack. Some IPS devices can even apply patches if the host has particular vulnerabilities. In addition, some IPS can remove the malicious contents of an attack to mitigate the packets, perhaps deleting an infected attachment from an email before forwarding the email to the user.

Core issue

The Cisco ASA 5500 series adaptive security appliance supports a variety of Security Service Modules (SSMs).

This documentation provides information on how to configure the Advanced Inspection and Prevention Security Services Module (AIP SSM) in the Inline and Promiscuous modes.


The ASA 5500 series adaptive security appliance supports the AIP SSM, which runs advanced IPS software that provides further security inspection.

The AIP SSM can operate in one of two modes, such as:

  1. Inline mode This mode places the AIP SSM directly in the traffic flow. You  must first pass through and be inspected by the AIP SSM before you can continue through the adaptive security appliance.

    This mode is the most secure because every packet is analyzed before it is allowed through. Also, the AIP SSM can implement a blocking policy on a packet-by-packet basis. But, this mode can affect throughput. Use the Inline keyword of the ips command in order to specify this mode.
  2. Promiscuous mode In this mode, a duplicate stream of traffic is sent to the AIP SSM. This mode is less secure. The SSM that operates in promiscuous mode instructs the adaptive security appliance to shun the traffic or resets a connection on the adaptive security appliance in order to block traffic.

    Also, while the AIP SSM analyzes the traffic, a small amount of traffic possibly passes through the adaptive security appliance before the AIP SSM can block it. Use the Promiscuous keyword of the ips command in order to specify this mode.

    Refer to the About the AIP SSM section of Managing AIP SSM and CSC SSM for more information about AIP SSM.