Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2639
Views
5
Helpful
8
Replies

ASA 5510 w/ SSM-10 AIM MODULE.

antrikos_kal
Level 1
Level 1

‎05-22-2020 02:07 AM

Hi, happy new year.

 

Long time no see, everything ok w/ the ASA 5510 and the internet access but I have a problem w/ the SSM-10 AIM module.I can't configure it.

 

First of all let me give you as much info I can.

 

here's my config of ASA 5510.

 

ASA Version 9.1(7)32
!
hostname asa
domain-name cisco.com
enable password YD7LbIlJUYMBUp9R encrypted
names
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
banner login This is Wonderland's network.If you are not authorized, please LOGOUT IMMEDIATELY!
boot system disk0:/asa917-32-k8.bin
boot config disk0:/startup-1.cfg
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 domain-name cisco.com
object network inside
 subnet 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm emergencies
logging class auth asdm emergencies
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp deny any inside
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside
 nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd ping_timeout 750
!
dhcpd address 10.1.1.32-10.1.1.63 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 132.163.96.4 source outside
ntp server 51.137.137.111 source outside prefer
username whiterabbit password 4xhYzBFkLJobBWx7 encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:54678e4efd0185916e83b7aba1a2a94b
: end

 

the inside ips are type of 10.x.x.x and outside 192.168.x.x

 

the ASA 5510 has 10.1.1.2 and my router 192.168.1.1

 

here's the SSM-10 asks for,

 

Last login: Fri May 22 06:22:59 on pts/0
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
***LICENSE NOTICE***
There is no license key installed on the SSM-IPS10.
The system will continue to operate with the currently installed
signature set.  A valid license must be obtained in order to apply
signature updates.  Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
ASA-SSM-10#
 
ASA-SSM-10# show config
! ------------------------------
! Current configuration last modified Fri May 22 06:26:45 2020
! ------------------------------
! Version 7.0(2)
! Host:
!     Realm Keys          key1.0
! Signature Definition:
!     Signature Update    S425.0   2009-08-17
!     Virus Update        V1.4     2007-03-02
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 10.1.1.69/24,10.1.1.2
host-name ASA-SSM-10
telnet-option disabled
access-list 192.168.0.0/20
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
exit
time-zone-settings
offset 0
standard-time-zone-name GMT00:00
exit
ntp-option enabled-ntp-unauthenticated
ntp-server 195.80.0.193
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
general
never-block-networks 192.168.0.0/20
exit
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
signatures 2153 0
status
enabled true
exit
exit
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
cisco-security-agents-mc-settings 192.168.1.14
username admin
exit
exit
! ------------------------------
service health-monitor
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit
ASA-SSM-10#
 
I don't know what IPs should I use for management/gateway and DNS.
 
Can you help?
Labels:
0 Helpful
8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-22-2020 03:28 AM

I assume this is not for production use. The product is long past end of life and not an effective countermeasure for any modern threats.

That aside, the module has a physical Ethernet port that must be connected to your network. Give it a management gateway and DNS that will allow it to know how to route off-local-net to reach external sites via that gateway and resolve FQDNs via the configured DNS.

0 Helpful

antrikos_kal
Level 1
Level 1
In response to Marvin Rhoads

‎05-22-2020 04:35 PM

Hi!

 

I attach an ethernet cable to the module and goes to the management ethernet port of the 5510?And what gateway ips I use?router's?as for the dns the dns of my ISP's?

0 Helpful

antrikos_kal
Level 1
Level 1
In response to Marvin Rhoads

‎05-22-2020 05:10 PM

btw I don't want it for production use, but for educational purposes...when I try to bring up management interface says the ips overlap w/ subnet outside/inside.What ips and subnet mask should I use for the management ethernet port?

0 Helpful

antrikos_kal
Level 1
Level 1
In response to Marvin Rhoads

‎05-22-2020 05:21 PM

Interface Management0/0 "", is up, line protocol is up
  Hardware is i82557, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address 0021.554f.35c0, MTU not set
        IP address unassigned
        171 packets input, 10260 bytes, 0 no buffer
        Received 171 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        171 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 input reset drops, 0 output reset drops
        input queue (curr/max packets): hardware (0/1) software (0/87)
        output queue (curr/max packets): hardware (0/0) software (0/0)

0 Helpful

antrikos_kal
Level 1
Level 1
In response to Marvin Rhoads

‎05-22-2020 05:58 PM

Interface Management0/0 "management", is up, line protocol is up
  Hardware is i82557, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        MAC address 0021.554f.35c0, MTU 1500
        IP address 172.22.1.160, subnet mask 255.255.255.0
        456 packets input, 27360 bytes, 0 no buffer
        Received 456 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        447 L2 decode drops
        1 packets output, 64 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 input reset drops, 0 output reset drops
        input queue (curr/max packets): hardware (0/1) software (0/87)
        output queue (curr/max packets): hardware (0/1) software (0/1)
  Traffic Statistics for "management":
        9 packets input, 414 bytes
        1 packets output, 28 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  4 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
        Management-only interface. Blocked 0 through-the-device packets

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to antrikos_kal

‎05-22-2020 08:23 PM

The ASA management interface and the SSM-10 AIM interface can be on the same subnet. That subnet needs to be different from the one used by any data interfaces on the ASA.

Please have a look at this configuration guide for much more detail and illustrations:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71204-traffic-asa-aip-ssm.html

0 Helpful

antrikos_kal
Level 1
Level 1
In response to Marvin Rhoads

‎10-15-2020 01:48 AM

Hi!

 

do you know the commands i should type to give interface ips and dns?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to antrikos_kal

‎10-15-2020 11:40 AM

Session to the module and type "setup" (without quotes).

Reference:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/modules_ips.html#60650

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card