https://community.cisco.com/t5/network-security/aip-ssm-configuration-assistance/m-p/676025#M87230 <HTML><HEAD></HEAD><BODY><P>Here are the answers to your questions-</P><P></P><P>1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?</P><P></P><P>Ans) No. ACL on SSM is completely independent of ACLs on ASA.</P><P></P><P>2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?</P><P></P><P>Ans) Absolutely. You can assign the management port of SSM an IP in the same subnet as your managemnet interface. That way all management traffic will be kept independent of normal DATA traffic.</P><P></P><P>3) Should then the management interface be used as the gateway for the SSM? </P><P></P><P>Ans) You are right .. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P></P><P>Hope that helps.</P><P></P><P></P><P>Regards,</P><P>Vibhor.</P></BODY></HTML> Fri, 16 Mar 2007 20:10:28 GMT vitripat 2007-03-16T20:10:28Z https://community.cisco.com/t5/network-security/aip-ssm-configuration-assistance/m-p/676024#M87229 <P>I have two questions regarding the AIP-SSM.</P><P>1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?</P><P>2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?</P><P>3) Should then the management interface be used as the gateway for the SSM?</P><P></P><P>interface GigabitEthernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address 65.x.x.1 255.255.255.0 standby 65.x.x.2</P><P>! </P><P>interface GigabitEthernet0/1</P><P> nameif dmz</P><P> security-level 50</P><P> ip address 172.16.x.1 255.255.255.0 standby 172.16.x.2</P><P>!</P><P>interface GigabitEthernet0/2</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2</P><P>!</P><P>interface GigabitEthernet0/3</P><P> description LAN/STATE Failover Interface</P><P>!</P><P>interface Management0/0</P><P> speed 100</P><P> duplex full</P><P> nameif management</P><P> security-level 100</P><P> ip address 10.0.x.1 255.255.255.0 standby 10.0.x.2 </P><P> management-only</P> Sun, 10 Mar 2019 10:31:11 GMT https://community.cisco.com/t5/network-security/aip-ssm-configuration-assistance/m-p/676024#M87229 Tshi M 2019-03-10T10:31:11Z https://community.cisco.com/t5/network-security/aip-ssm-configuration-assistance/m-p/676025#M87230 <HTML><HEAD></HEAD><BODY><P>Here are the answers to your questions-</P><P></P><P>1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?</P><P></P><P>Ans) No. ACL on SSM is completely independent of ACLs on ASA.</P><P></P><P>2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?</P><P></P><P>Ans) Absolutely. You can assign the management port of SSM an IP in the same subnet as your managemnet interface. That way all management traffic will be kept independent of normal DATA traffic.</P><P></P><P>3) Should then the management interface be used as the gateway for the SSM? </P><P></P><P>Ans) You are right .. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P></P><P>Hope that helps.</P><P></P><P></P><P>Regards,</P><P>Vibhor.</P></BODY></HTML> Fri, 16 Mar 2007 20:10:28 GMT https://community.cisco.com/t5/network-security/aip-ssm-configuration-assistance/m-p/676025#M87230 vitripat 2007-03-16T20:10:28Z https://community.cisco.com/t5/network-security/aip-ssm-configuration-assistance/m-p/676026#M87231 <HTML><HEAD></HEAD><BODY><P>after making changes to the IDS sensor, it prompts for a node reboot. does this reboot affect the firewall as well (i.e. causing the firewall to reboot)?</P></BODY></HTML> Fri, 30 Mar 2007 13:32:50 GMT https://community.cisco.com/t5/network-security/aip-ssm-configuration-assistance/m-p/676026#M87231 Tshi M 2007-03-30T13:32:50Z https://community.cisco.com/t5/network-security/aip-ssm-configuration-assistance/m-p/676027#M87232 <HTML><HEAD></HEAD><BODY><P>The reboot required is just for the IPS on the SSM. The ASA itself will not be rebooted, it is only the SSM module that will be rebooted.</P><P></P></BODY></HTML> Fri, 30 Mar 2007 16:45:52 GMT https://community.cisco.com/t5/network-security/aip-ssm-configuration-assistance/m-p/676027#M87232 marcabal 2007-03-30T16:45:52Z https://community.cisco.com/t5/network-security/aip-ssm-configuration-assistance/m-p/676028#M87233 <HTML><HEAD></HEAD><BODY><P>If your ASA configuration is using the SSM module and it is configured as "fail-close", then only you will face issues when SSM module is reloaded. Make sure that ASA is configuration has following line if using SSM services-</P><P></P><P>ips {inline | promiscuous} fail-open</P><P></P><P>This way even if you reload the SSM module it wont break the traffic through ASA.</P><P></P><P>Hope that helps.</P><P></P><P></P><P>Regards,</P><P>Vibhor.</P></BODY></HTML> Fri, 30 Mar 2007 17:05:21 GMT https://community.cisco.com/t5/network-security/aip-ssm-configuration-assistance/m-p/676028#M87233 vitripat 2007-03-30T17:05:21Z https://community.cisco.com/t5/network-security/aip-ssm-configuration-assistance/m-p/676029#M87234 <HTML><HEAD></HEAD><BODY><P>Not only that, but if your ASA's are in a failover configuration, if you reboot the SSM on the primary firewall, it will cause a failover to the standby.</P></BODY></HTML> Fri, 30 Mar 2007 18:49:38 GMT https://community.cisco.com/t5/network-security/aip-ssm-configuration-assistance/m-p/676029#M87234 jshelmer 2007-03-30T18:49:38Z