Solved: Cisco ASA 5510 and Cisco ASA SSM10

antrikos_kal · ‎10-17-2018

Hi can you help me w/ the following?

CiscoASA# show module 1 details
Getting details from the Service Module, please wait...

Card Type:          ASA 5500 Series Security Services Module-10
Model:              ASA-SSM-10
Hardware version:   1.0
Serial Number:
Firmware version:   1.0(11)5
Software version:   7.1(11)E4
MAC Address Range: 7081.05d3.99de to 7081.05d3.99de
App. name:          IPS
App. Status:        Up
App. Status Desc:   Normal Operation
App. version:       7.1(11)E4
Data Plane Status: Up
Status:             Up
Mgmt IP addr:       10.0.0.0
Mgmt Network mask: 255.255.255.0
Mgmt Gateway:       10.0.0.1
Mgmt web ports:     443
Mgmt TLS enabled:   true
CiscoASA#

CiscoASA# show conf
: Saved
:
: Serial Number:
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
: Written by whiterabbit at 07:30:04.119 EEDT Thu Oct 18 2018
!
ASA Version 9.1(7)13
!
hostname CiscoASA
enable password Ydk75CZYTtPg2SIo encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address

!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
nameif manage
security-level 0
no ip address
!
banner login WELCOME MY LORD!
banner asdm WELCOME MY LORD!
boot system disk0:/flash:/asa917-13-k8.bin
boot system disk0:/asa917-13-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu manage 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm drop
ip audit attack action alarm drop
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp deny any inside
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.123 208.67.220.123
dhcpd auto_config outside
!
dhcpd address 10.1.1.3-10.1.1.15 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat shun duration 10
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1 null-sha1

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable

CISCO IPS

CISCO_IPS# show conf
! ------------------------------
! Current configuration last modified Thu Oct 18 04:42:37 2018
! ------------------------------
! Version 7.1(11)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S884.0 2015-08-31
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 10.0.0.0/24,10.0.0.1
host-name CISCO_IPS
sshv1-fallback enabled
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service aaa
exit
! ------------------------------
service analysis-engine
virtual-sensor vs1
physical-interface GigabitEthernet0/1
exit
exit
CISCO_IPS#

Marvin Rhoads · ‎10-18-2018

If you connected it to Eth0/2 you would also need to fully configure that interface and associated security policies to allow communications.

It would be better to plug it into a switch and VLAN that's common with the ASA inside interface. Your ASDM need to communicate with the IP addresses of both the ASA and SSM.

By the way that ASA and module are well past end of support. Is there something you are trying to do with it in particular?

View solution in original post

Marvin Rhoads · ‎10-19-2018

Either way IPS will act the same.

If you use a firewall interface to connect the SSM management, then it must have more configuration associated with it as generally speaking firewalls don't pass traffic between all interfaces by default.

View solution in original post

Marvin Rhoads · ‎10-19-2018

Either way can be made to work. Using a switch is less effort to make that happen.

Since your switch has a default configuration, all ports are on the same VLAN (VLAN 1). So yo can plug in your PC, the ASA inside interface and the SSM management interface to three switch ports and then use ASDM. It should be able to see the IPS module then,

I repeat however that the SSM is a very old product. It is no longer supported and you will not be able to get updates for it. Fewer and fewer people will be able to help you with it, it's not relevant for current certifications and it provides minimal protection against modern threats.

View solution in original post

Marvin Rhoads · ‎10-20-2018

Change the IPS address to be on the same 10.1.1.0/24 subnet as your ASA inside address.

Make your PC yet another address on that subnet.

All three are on the same VLAN so they must be on the same subnet to communicate.

View solution in original post

Marvin Rhoads · ‎10-21-2018

Your ASA already has address 10.1.1.2 /24 assigned to Eth0/1.

Set your SSM IPS address to 10.1.1.3 /24 with gateway as the ASA 10.1.1.2 address. Confirm it from the ASA with "show module ips detail" command.

Set your PC to 10.1.1.4/24.

Plug them all (ASA eth0/1, SSM Eth and PC wired Ethernet adapter) into your switch.

Launch ASDM from the PC and direct it to 10.1.1.2. The ASA should tell ASDM to pull the IDS details from 10.1.1.3. Then it should populate the IDS menus.

View solution in original post

antrikos_kal · ‎10-17-2018

I can access it over CLI not from within ASDM.That wouldn't be a problem.The real problem is I don't know how to configure it.

antrikos_kal · ‎10-18-2018

I can't access it from ASDM within the tabs inside the app.What is wrong?Can someone please help?And what the eth port is used for?

antrikos_kal · ‎10-18-2018

I connected the eth port of ssm10 to the ethernet0/2 of asa 5510 and now shows the interface is up.i gave ip's but still can't access it through asdm.

Marvin Rhoads · ‎10-18-2018

If you connected it to Eth0/2 you would also need to fully configure that interface and associated security policies to allow communications.

It would be better to plug it into a switch and VLAN that's common with the ASA inside interface. Your ASDM need to communicate with the IP addresses of both the ASA and SSM.

By the way that ASA and module are well past end of support. Is there something you are trying to do with it in particular?

antrikos_kal · ‎10-18-2018

Hi!

thanks for the information.it was valuable.no I don't want to do something special.just to set the intrusion detection system.

antrikos_kal · ‎10-19-2018

What features I will have if connected to my cisco catalyst and which on the asa5510 eth0/2?

Marvin Rhoads · ‎10-19-2018

Either way IPS will act the same.

If you use a firewall interface to connect the SSM management, then it must have more configuration associated with it as generally speaking firewalls don't pass traffic between all interfaces by default.

antrikos_kal · ‎10-19-2018

Either way I will be able to use asdm for the ssm10?or it must be only connected on the asa5510 interface?

antrikos_kal · ‎10-19-2018

Here's the conf of my cisco catalyst 2950series enterprise.

Switch#show run
Building configuration...

Current configuration : 1181 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface FastEthernet0/25
!
interface FastEthernet0/26
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
ip http server
!
line con 0
line vty 5 15
!
!
end

Switch#

FastEth0/22 is the SSM10.

Marvin Rhoads · ‎10-19-2018

Either way can be made to work. Using a switch is less effort to make that happen.

Since your switch has a default configuration, all ports are on the same VLAN (VLAN 1). So yo can plug in your PC, the ASA inside interface and the SSM management interface to three switch ports and then use ASDM. It should be able to see the IPS module then,

I repeat however that the SSM is a very old product. It is no longer supported and you will not be able to get updates for it. Fewer and fewer people will be able to help you with it, it's not relevant for current certifications and it provides minimal protection against modern threats.

antrikos_kal · ‎10-19-2018

Ok!Thank you!

antrikos_kal · ‎10-19-2018

That's how I have them connected.But I don't know what IPs to use to access SSM from within ASDM.

antrikos_kal · ‎10-19-2018

VLAN1 is up also all interfaces.But I never setted up IPs.The inside is 10.x.x.x/24 and outside is 192.168.x.x on my asa5510

antrikos_kal · ‎10-20-2018

I did what you told me but I still can't access it from within asdm.