10-23-2009 08:35 PM - edited 03-10-2019 04:48 AM
Looking for an explanation of the gig0/0 interface in the AIP-SSM-20. The ASA runs 8.2 and the IPS runs 6.2.
The documentation I'm reading doesn't mention it all. I want a management interface separate from the default connection between the ASA and the ips module.
Solved! Go to Solution.
10-27-2009 06:43 AM
M0/0 is the only interface you would configure IP address on. That would be used for the management traffic.
You do not configure any IP on G0/0 or G0/1 as the traffic that is to be inspected flows from the ASA to the module internally. You just define the policy-map on ASA to identify the traffic that flows to the module for inspection.
Check this link for details:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
10-24-2009 04:52 PM
Please describe the issue in detail.
Here's a link that may help.
10-25-2009 11:15 AM
Thanks for the reply.
This is for an AIP-SSM-20.
The Management interface for the module has what designation, gig0/0?
This IP address is different from the backplane default being used by the module to communicate with the ASA, correct?
The management interface is accesses via a physical port on the module itself, correct?
This same physical interface on the module is the reporting ip address being used when adding the sensor to MARS, correct?
10-26-2009 04:58 AM
GigabitEthernet0/1
Yes, the IP address is different. The physical port G0/1 is only used for management. The IP on the G0/1 of the module may be in the same subnet as the mangement interface of the ASA. Also you need to define a default gateway for the module. Whatever IP you configure for G0/1, would be used by MARS.
10-27-2009 06:00 AM
Hi Tanveer,
Thanks for the detailed response.
I believe that I was confusing the different modules.
Here is one last question from the setup command and the advanced configuration:
Management0/0 and gigabit 0/1 are given different IP addresses, correct? We want to use a same management vlan used by all networking devices. Does the gig0/1 have a different ip and is it the interface which connects to the ASA over the backplane?
Modify interface/virtual sensor configuration?[no]: yes
Current interface configuration
Command control: Management0/0
Unassigned:
Monitored:
GigabitEthernet0/1
Thank you in advance!
10-27-2009 06:01 AM
Hi Tanveer,
Thanks for the detailed response.
I believe that I was confusing the different modules.
Here is one last question from the setup command and the advanced configuration:
Management0/0 and gigabit 0/1 are given different IP addresses, correct? We want to use a same management vlan used by all networking devices. Does the gig0/1 have a different ip and is it the interface which connects to the ASA over the backplane?
Modify interface/virtual sensor configuration?[no]: yes
Current interface configuration
Command control: Management0/0
Unassigned:
Monitored:
GigabitEthernet0/1
Thank you in advance!
10-27-2009 06:43 AM
M0/0 is the only interface you would configure IP address on. That would be used for the management traffic.
You do not configure any IP on G0/0 or G0/1 as the traffic that is to be inspected flows from the ASA to the module internally. You just define the policy-map on ASA to identify the traffic that flows to the module for inspection.
Check this link for details:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
11-20-2009 10:48 PM
Hi Tanveer,
this is Yugandhar.
we are also having same confusion. if we assign management IP to Cisco ASA and IPS what will be the Gateway? becuase we are using different network in LAN. correct? we are having VLAN and DMZ environment. can you please explain clearly about physical connection? because we configured ASA and AIP-SSM-20 but we are not able to see any traffic. please help me on this.
please find attached sensor configuration also
Regards,
Yugandhar. M
11-20-2009 10:49 PM
Hi Tanveer,
we did not configure any management IP on Management interface.
Regards,
Yugandhar. M
11-20-2009 10:50 PM
Hi Tanveer,
we did not configure any management IP on Management interface on Cisco ASA 5510
Regards,
Yugandhar. M
11-26-2009 04:52 PM
The traffic that the ASA forwards to the AIP-SSM module for inspection is sent internally and does not use the management interface. The management interface is only to monitor/manage the module.
11-26-2009 10:29 PM
Thanq Tanveer.
i was connected Mangaement interface to my local LAN to access the Sensor and assigned sensor IP address as 192.168.1.87/24, and accessing AIP-SSM through ASDM using this IP only but i am able to send the traffic to AIP-SSM.
One more question tanveer. i am able to send the traffic to AIP-SSM because of service policy written in ASA. then i tried to block Yahoo HTTP-Proxy chat by using IPS signature. it is showing denied message in event viewer but it is not blocking. please help me on this. please find attached screenshot also
Regards,
Yugandhar. M
11-27-2009 07:58 AM
Once you identify the signature and its ID number, you will need to Edit the signature and choose the drop action. The default action may be to produce alert only.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide