12-14-2012 01:42 PM - edited 03-10-2019 05:51 AM
In my lab, I have a new 5510 with AIP-SSM card.
I believe it is configured correctly to evaluate traffic, but I can't be sure.
Here is part of the ASA config:
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map global-policy
class inspection_default
inspect ftp, etc,
class global-class
ips inline fail-open
service-policy global_policy global
I have a PC going to a switch, going to the ASA (inside interface)
The ASA outside interface is going to a seperate VLAN on the switch.
Both have VLAN interfaces configured.
Is there a ping command, or other traffic that I can generate from the PC that will throw an alert?
I tried Ping -S from a bogus addresses, but that didn't cause an event.
How do I know if traffic is actually going through the IDS?
Thanks.
Solved! Go to Solution.
12-18-2012 01:29 PM
Hello Jimmy
lass-map: global-class
IPS: Card status UP, mode inline fail-open
Packet input 0, Packet output 0, drop 0, reset-drop 0
No packets are getting to the IPS module
You told me is assigned to Virtual sensor 0 on the AIP-SSM right?
12-14-2012 05:39 PM
Hello Jimmy,
You must assigned a virtual sensor to the interface that connects the AIP-SSM to the ASA ( this must be done on the AIP-SSM, you could use either the GUI or the CLI to make it happen)
Now to test it you can use the signature ID 2004 witch is related to ICMP Echo packets.... Enabled it as its disabled by default and on the actions set it to generate an alert,, Then go to monitoring and get a report on the last minute, hour, etc. to get this log and make sure the AIP-SSM is up and ready to protect you,
Regards,
Julio
12-17-2012 07:47 AM
Thanks Julio,
Under Configuration>IDS>Interfaces, G0/1 is enabled.
I have turned on ID 2004.
Under the IME menu Home>Device Details:
G0/0 Link=UP, Enabled=Yes, Mode=(blank), Rcd and Xmit are incrementing
G0/1Link=UP, Enabled=Yes, Mode=unpaired, Rcd and Xmit are incrementing
We did not order maintenance, so I have no License. (I'm hoping I only need this to get latest updates and support, not to run the device??)
I still have no alerts. How do I generate them?
Regards,
12-17-2012 09:34 AM
Hello,
Good, have you try to ping across your network?
Regards,
12-17-2012 09:46 AM
Yes.
From the PC through the Switch to the Firewall and then back to a second network (VLAN interface) on the switch.
There is no event or log entry.
I was using Ping -S 0.0.0.0 192.168.1.1 and expected the IDS to pick up the bogus source.
I also tried a standard ping, no luck.
Using the CLI for the IDS, under show statistics virtural interface, I found "total packets processed since last reset = 0"
jc
12-18-2012 09:59 AM
Hello Jimmy,
Share the following from the ASA
show service policy
Regards,
12-18-2012 12:22 PM
Service-policy: global_policy
Class-map: inspection_default
Inspect: DNS, FTP, H233, etc (all zeros)
Class-map: global-class
IPS: Card status UP, mode inline fail-open
Packet input 0, Packet output 0, drop 0, reset-drop 0
Keep in mind that I only have one PC and one switch (with two VLAN interfaces) attached.
Thanks.
12-18-2012 01:29 PM
Hello Jimmy
lass-map: global-class
IPS: Card status UP, mode inline fail-open
Packet input 0, Packet output 0, drop 0, reset-drop 0
No packets are getting to the IPS module
You told me is assigned to Virtual sensor 0 on the AIP-SSM right?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide