In my lab, I have a new 5510 with AIP-SSM card.
Here is part of the ASA config:
inspect ftp, etc,
ips inline fail-open
service-policy global_policy global
I have a PC going to a switch, going to the ASA (inside interface)
The ASA outside interface is going to a seperate VLAN on the switch.
Both have VLAN interfaces configured.
Is there a ping command, or other traffic that I can generate from the PC that will throw an alert?
I tried Ping -S from a bogus addresses, but that didn't cause an event.
How do I know if traffic is actually going through the IDS?
Solved! Go to Solution.
You must assigned a virtual sensor to the interface that connects the AIP-SSM to the ASA ( this must be done on the AIP-SSM, you could use either the GUI or the CLI to make it happen)
Now to test it you can use the signature ID 2004 witch is related to ICMP Echo packets.... Enabled it as its disabled by default and on the actions set it to generate an alert,, Then go to monitoring and get a report on the last minute, hour, etc. to get this log and make sure the AIP-SSM is up and ready to protect you,
Under Configuration>IDS>Interfaces, G0/1 is enabled.
I have turned on ID 2004.
Under the IME menu Home>Device Details:
G0/0 Link=UP, Enabled=Yes, Mode=(blank), Rcd and Xmit are incrementing
G0/1Link=UP, Enabled=Yes, Mode=unpaired, Rcd and Xmit are incrementing
We did not order maintenance, so I have no License. (I'm hoping I only need this to get latest updates and support, not to run the device??)
I still have no alerts. How do I generate them?
From the PC through the Switch to the Firewall and then back to a second network (VLAN interface) on the switch.
There is no event or log entry.
I was using Ping -S 0.0.0.0 192.168.1.1 and expected the IDS to pick up the bogus source.
I also tried a standard ping, no luck.
Using the CLI for the IDS, under show statistics virtural interface, I found "total packets processed since last reset = 0"
Inspect: DNS, FTP, H233, etc (all zeros)
IPS: Card status UP, mode inline fail-open
Packet input 0, Packet output 0, drop 0, reset-drop 0
Keep in mind that I only have one PC and one switch (with two VLAN interfaces) attached.