Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1118
Views
13
Helpful
2
Replies

AIM-SSM interfaces and ASA 5510

Go to solution
jlebowitsch
Level 1
Level 1

‎07-20-2005 08:42 PM - edited ‎03-10-2019 01:33 AM

All, can anyone explain if and how routing works between the ASA and the IPS card?

1)Is the single NIC in the IPS card for management purposes only?

2)Is the IP address configured in the card's setup process for this one NIC?

3) need there be any routing between e.g. the ASA management or any other interface and the card management interface or can they reside on completely separated networks?

Thanks

Jonathan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎07-21-2005 07:44 AM

The IPS card has 3 interfaces.

The management interface is external interface that you plug a network cable in to. The IP address is configured by the user during setup.

The sniffing interface is the internal interface on the ASA data backplane. No IP address is ever assigned to this interface.

The control plane interface is an internal interface on the ASA control plane so that the ASA can communicate internally to the SSM (the session command runs through this interface). The control plane IP address is controlled by the ASA and not user configurable,

The management interface is for management only.

The IP Address configured during setup is only for this management interface.

As for routing between the ASA and the SSM, this is completely up to the user.

All communication from the ASA to the SSM is done internally through the control plane interface and so the ASA itself does not need to know how to communicate to the SSM management IP.

The SSM, however, does need to communicate from it's management IP to one of the ASA interfaces in order to do Blocking/Shunning on the ASA. Blocking/Shunning is not done through the control plane.

When using IDM or ASDM for configuration the java applet web browses to the SSM management IP so the machine running IDM or ASDM must either be on the local network of the management port of the SSM, or be routable to the network.

Some scenarios:

1) Only one machine (IDS MC/Sec Mon) communicating with the SSM. In this scenario you could take a crossover cable and directly connect the one machine to the SSM.

The SSM can then communicate only to that one machine.

2) A secure network for managing the security devices that is NOT routable to/from other networks.

In this scenario the management box, the management port of the SSM, and the management port of the ASA would all be placed on this one network.

The SSM would only be able to communicat with the management box, and the ASA management port.

The ASA management port is configured as a management-only port so the ASA will not route in/out of the management network.

SO only the management box on that local network can communicate with the SSM, and no remote boxes can connect directly to the SSM.

(NOTE: Blocking/Shunning will work here because the SSM can talk to the ASA)

3) A secure network that IS routable to/from other networks.

Similar to option 2 above, but in this scenario the management port of the ASA is configured to NOT be a "management-only" port, and is instead treated like any other port on the firewall. In this setup the management port of the ASA CAN route in/out of the management network.

NOTE: In most cases the ASA will need to configure a NAT address for the SSM management IP if users intend to connect to the SSM management IP remotely from the Internet (like running ASDM from the company main network over the internet to configure the ASA and the SSM at a remote site)

4) SSM management IP on one of the normal networks behind the ASA. In this scnario the management port of the SSM would be plugged into a switch or hub where other internal machines are plugged in (like plugging into the DMZ switch/vlan). From the ASA standpoint the SSM management port would be treated just like any other web and ssh server behind the firewall.

View solution in original post

2 Replies 2

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎07-21-2005 07:44 AM

The IPS card has 3 interfaces.

The management interface is external interface that you plug a network cable in to. The IP address is configured by the user during setup.

The sniffing interface is the internal interface on the ASA data backplane. No IP address is ever assigned to this interface.

The control plane interface is an internal interface on the ASA control plane so that the ASA can communicate internally to the SSM (the session command runs through this interface). The control plane IP address is controlled by the ASA and not user configurable,

The management interface is for management only.

The IP Address configured during setup is only for this management interface.

As for routing between the ASA and the SSM, this is completely up to the user.

All communication from the ASA to the SSM is done internally through the control plane interface and so the ASA itself does not need to know how to communicate to the SSM management IP.

The SSM, however, does need to communicate from it's management IP to one of the ASA interfaces in order to do Blocking/Shunning on the ASA. Blocking/Shunning is not done through the control plane.

When using IDM or ASDM for configuration the java applet web browses to the SSM management IP so the machine running IDM or ASDM must either be on the local network of the management port of the SSM, or be routable to the network.

Some scenarios:

1) Only one machine (IDS MC/Sec Mon) communicating with the SSM. In this scenario you could take a crossover cable and directly connect the one machine to the SSM.

The SSM can then communicate only to that one machine.

2) A secure network for managing the security devices that is NOT routable to/from other networks.

In this scenario the management box, the management port of the SSM, and the management port of the ASA would all be placed on this one network.

The SSM would only be able to communicat with the management box, and the ASA management port.

The ASA management port is configured as a management-only port so the ASA will not route in/out of the management network.

SO only the management box on that local network can communicate with the SSM, and no remote boxes can connect directly to the SSM.

(NOTE: Blocking/Shunning will work here because the SSM can talk to the ASA)

3) A secure network that IS routable to/from other networks.

Similar to option 2 above, but in this scenario the management port of the ASA is configured to NOT be a "management-only" port, and is instead treated like any other port on the firewall. In this setup the management port of the ASA CAN route in/out of the management network.

NOTE: In most cases the ASA will need to configure a NAT address for the SSM management IP if users intend to connect to the SSM management IP remotely from the Internet (like running ASDM from the company main network over the internet to configure the ASA and the SSM at a remote site)

4) SSM management IP on one of the normal networks behind the ASA. In this scnario the management port of the SSM would be plugged into a switch or hub where other internal machines are plugged in (like plugging into the DMZ switch/vlan). From the ASA standpoint the SSM management port would be treated just like any other web and ssh server behind the firewall.

Go to solution
jlebowitsch
Level 1
Level 1
In response to marcabal

‎07-21-2005 02:42 PM

Great answer. I'm all set

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card