topic Re: upgrading IPS strings, ASA SSM-10 module in Network Security

upgrading IPS strings, ASA SSM-10 module

saidfrh — Sun, 10 Mar 2019 11:03:11 GMT

I am having a challenging time upgrading the ASA SSM-10 IPS module. I down loaded the IPS-sig-s327-req-e1.pkg to Win XP ftp server (my workstation). The instructions in following does not work: http://download-sj.cisco.com/cisco/ciscosecure/ips/6.x/sigup/IPS-sig-S327.readme.txt

"error: execUpgradeSoftware : Connect failed". Any suggestion would be appreciated.

Re: upgrading IPS strings, ASA SSM-10 module

chickman — Fri, 04 Apr 2008 21:48:35 GMT

My suggestion to you would be this: Use the IDM provided with the system. It is a lot easier for people unfamiliar with the IPS in CLI mode.

You can access this device via a webpage, "https://"IPADDRESS" and modify it like this. I do have to point out that the IPS limits this connectivity out of the box. You'll want to modify this access-list to include the IP address you're connecting from. Also, you'll want to ensure the HTTPS Service is enabled, and on port 443 for ease of use. All of this will need to happen initially in the CLI.

Once you're in the IDM you'll want to select

"Configuration". From here scroll down to the update section. You'll select "update is located on this client" and you're golden. You can simply upload your latest signature from the XP machine.

Re: upgrading IPS strings, ASA SSM-10 module

saidfrh — Sun, 06 Apr 2008 15:07:42 GMT

I can connect the LAN switch directly to the inside interface of the ASA5510 firewall. Hosts can get Internet connectivity while cabled to the switch. However, when the LAN switch is connected to the port on the IPS module, there is no Internet connectivity. Any suggestions would be appreciated. The following is the sh configuration and sh int output.

sh con_[Jfiguration

Version 5.1(6)

! Current configuration last modified Sat Apr 05 12:28:11 2008

! ------------------------------

service interface

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/1

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 192.168.1.36/24,192.168.1.10

host-name ips

telnet-option enabled

--MORE--

access-list 0.0.0.0/0

exit

time-zone-settings

offset 0

standard-time-zone-name UTC

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

--MORE--

exit

! ------------------------------

service web-server

exit

ips# sh inter_[Jfaces _[2C

Interface Statistics

Total Packets Received = 6806

Total Bytes Received = 2001784

Missed Packet Percentage = 0

Current Bypass Mode = Auto_off

MAC statistics from interface GigabitEthernet0/1

Interface function = Sensing interface

Description =

Media Type = backplane

Missed Packet Percentage = 0

Inline Mode = Unpaired

Pair Status = N/A

Link Status = Up

Link Speed = Auto_1000

Link Duplex = Auto_Full

Total Packets Received = 6807

Total Bytes Received = 2001866

Total Multicast Packets Received = 0

Total Broadcast Packets Received = 0

Total Jumbo Packets Received = 0

Total Undersize Packets Received = 0

Total Receive Errors = 0

Total Receive FIFO Overruns = 0

Total Packets Transmitted = 6807

--MORE--

Total Bytes Transmitted = 2017118

Total Multicast Packets Transmitted = 0

Total Broadcast Packets Transmitted = 0

Total Jumbo Packets Transmitted = 0

Total Undersize Packets Transmitted = 0

Total Transmit Errors = 0

Total Transmit FIFO Overruns = 0

MAC statistics from interface GigabitEthernet0/0

Interface function = Command-control interface

Description =

Media Type = TX

Link Status = Down

Link Speed = N/A

Link Duplex = N/A

Total Packets Received = 126

Total Bytes Received = 14255

Total Multicast Packets Received = 0

Total Receive Errors = 0

Total Receive FIFO Overruns = 0

Total Packets Transmitted = 1

Total Bytes Transmitted = 64

Total Transmit Errors = 0

Total Transmit FIFO Overruns = 0

Re: upgrading IPS strings, ASA SSM-10 module

chickman — Mon, 07 Apr 2008 02:47:38 GMT

I'm not to sure what you mean by "connected to the port on the IPS." The port on your SSM is merely a management port. It is not anything that would interfere with network connectivity.

Please advise on your cabling. You should still connect up as you would normally. Here is how a config of the asa should look like:

hostname(config)# access-list IPS permit ip any any

hostname(config)# class-map my-ips-class

hostname(config-cmap)# match access-list IPS

hostname(config-cmap)# policy-map my-ids-policy

hostname(config-pmap)# class my-ips-class

hostname(config-pmap-c)# ips inline fail-open

hostname(config-pmap-c)# service-policy my-ids-policy global ** Or whatever your main service policy is **

I took this directly from the CISCO AIP setup. http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSSM.html

I hope this is what you were needing. Please let us know if it is not.

Re: upgrading IPS strings, ASA SSM-10 module

chickman — Mon, 07 Apr 2008 02:48:17 GMT

Also, were you able to update your signature??

Re: upgrading IPS strings, ASA SSM-10 module

saidfrh — Mon, 07 Apr 2008 20:21:44 GMT

Yes, thank you.