Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
0
Helpful
3
Replies

AIP SSM - physical port query

Go to solution
J_Vansen_S
Level 3
Level 3

‎08-21-2011 07:07 PM - edited ‎03-10-2019 05:27 AM

Hi all,

I have an ASA5520 with the AIP SSM module.

I would like to get a quick verification on 2 things.

  1. AIP SSM module MUST have a physical ethernet port plugged to it, in order for IPS to function?
  2. AIP SSM module IP Address has to be on a different IP range as the ASA5520 interfaces.?

Please correct me if i am wrong.

As i have a deployment of the ASA+AIP, but due to physical port imitation on our network, & also IP address; we might not be able to cater for the AIP module.

Please advise.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-21-2011 07:55 PM

1. Physical ethernet port needs to be plugged and connected to the network for management purposes. To manage the AIP module itself for the IDM GUI.

2. No, it doesn't need to be on different IP range as the ASA interfaces. It is just another IP within your network, and it needs to be connected to the network via its management port (physical port on the AIP module itself), so it can be on another subnets within your ASA interfaces.

The only way you can manage the AIP module via GUI (IDM) is via its physical port. However, if you are happy to configure and manage the AIP module via command line, you can always just session via the ASA command line, however, it can be a hassle managing AIP via CLI.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-21-2011 07:55 PM

1. Physical ethernet port needs to be plugged and connected to the network for management purposes. To manage the AIP module itself for the IDM GUI.

2. No, it doesn't need to be on different IP range as the ASA interfaces. It is just another IP within your network, and it needs to be connected to the network via its management port (physical port on the AIP module itself), so it can be on another subnets within your ASA interfaces.

The only way you can manage the AIP module via GUI (IDM) is via its physical port. However, if you are happy to configure and manage the AIP module via command line, you can always just session via the ASA command line, however, it can be a hassle managing AIP via CLI.

0 Helpful

Go to solution
J_Vansen_S
Level 3
Level 3
In response to Jennifer Halim

‎08-21-2011 08:04 PM

Thanks Jennifer for your verification.

2. So I cant use IP on the same subnet as my inside interface. It has to be on a different subnet.

Thanks again

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to J_Vansen_S

‎08-21-2011 08:16 PM

Yes, you can use IP on the same subnet as your inside interface. There is no problem at all. You can just set the AIP module IP Address in the same subnet as your inside interface, and default gateway as the ASA inside interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card