Access to IDS module from ASA

gdntsoc · ‎11-20-2006

Greetings all. I have a Cisco ASA 5510 device running software version 7.1(2), Device Manager version 5.1(2). I have a IDS/IPS security services module (ASA-SSM-10) installed in the ASA.

- Management of the ASA and IDS/IPS SSM is done via the CLI.

- I have a different management IP's assigned to the IDS/IPS SSM and the ASA.

- I have different logins/passwords assigned to the IDS/IPS SSM and the ASA.

My question is...

How do I limit access to the CLI on the IDS/IPS SSM from ASA?

From the ASA CLI, I know it's possible to do a 'session <module number>' and log into the IDS/IPS SSM that way. Assuming I don't know the SSM 'cisco' user password or any other accounts (service, etc..), is there any other way for me to get into the SSM?

Basically, I'm trying to figure out how separation of priviliges works in this instance. Thank you.

a.kiprawih · ‎11-21-2006

Q: How do I limit access to the CLI on the IDS/IPS SSM from ASA?

A: You can create user account separately in ASA/Firewall and IPS/SSM.

Basically, any account created in ASA/firewall can be used in SSM/IPS, unless if you used identical/the same username & password .

Q: Assuming I don't know the SSM 'cisco' user password or any other accounts (service, etc..), is there any other way for me to get into the SSM?

A: Yes, but you only used the following option below as last resort if you lost all means of access - all admin user accounts, including Service Account.

The only way to access the SSM is with recovery process where you have to start everything from scratch. Maybe this is due to security reason (which you're supposed to ensure admin account is maintained correctly).

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804596f0.html#wp1034193

Normally, it's a good to have at least 2 user accounts with admin priv, just in case you forgot the 1st one. The Service Account is meant for TAC Support.

Hope this helps.

AK