05-22-2020 02:07 AM
Hi, happy new year.
Long time no see, everything ok w/ the ASA 5510 and the internet access but I have a problem w/ the SSM-10 AIM module.I can't configure it.
First of all let me give you as much info I can.
here's my config of ASA 5510.
ASA Version 9.1(7)32
!
hostname asa
domain-name cisco.com
enable password YD7LbIlJUYMBUp9R encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
banner login This is Wonderland's network.If you are not authorized, please LOGOUT IMMEDIATELY!
boot system disk0:/asa917-32-k8.bin
boot config disk0:/startup-1.cfg
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name cisco.com
object network inside
subnet 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm emergencies
logging class auth asdm emergencies
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp deny any inside
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd ping_timeout 750
!
dhcpd address 10.1.1.32-10.1.1.63 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 132.163.96.4 source outside
ntp server 51.137.137.111 source outside prefer
username whiterabbit password 4xhYzBFkLJobBWx7 encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:54678e4efd0185916e83b7aba1a2a94b
: end
the inside ips are type of 10.x.x.x and outside 192.168.x.x
the ASA 5510 has 10.1.1.2 and my router 192.168.1.1
here's the SSM-10 asks for,
05-22-2020 03:28 AM
I assume this is not for production use. The product is long past end of life and not an effective countermeasure for any modern threats.
That aside, the module has a physical Ethernet port that must be connected to your network. Give it a management gateway and DNS that will allow it to know how to route off-local-net to reach external sites via that gateway and resolve FQDNs via the configured DNS.
05-22-2020 04:35 PM
Hi!
I attach an ethernet cable to the module and goes to the management ethernet port of the 5510?And what gateway ips I use?router's?as for the dns the dns of my ISP's?
05-22-2020 05:10 PM
btw I don't want it for production use, but for educational purposes...when I try to bring up management interface says the ips overlap w/ subnet outside/inside.What ips and subnet mask should I use for the management ethernet port?
05-22-2020 05:21 PM
Interface Management0/0 "", is up, line protocol is up
Hardware is i82557, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 0021.554f.35c0, MTU not set
IP address unassigned
171 packets input, 10260 bytes, 0 no buffer
Received 171 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
171 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/1) software (0/87)
output queue (curr/max packets): hardware (0/0) software (0/0)
05-22-2020 05:58 PM
Interface Management0/0 "management", is up, line protocol is up
Hardware is i82557, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address 0021.554f.35c0, MTU 1500
IP address 172.22.1.160, subnet mask 255.255.255.0
456 packets input, 27360 bytes, 0 no buffer
Received 456 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
447 L2 decode drops
1 packets output, 64 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/1) software (0/87)
output queue (curr/max packets): hardware (0/1) software (0/1)
Traffic Statistics for "management":
9 packets input, 414 bytes
1 packets output, 28 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 4 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Management-only interface. Blocked 0 through-the-device packets
05-22-2020 08:23 PM
The ASA management interface and the SSM-10 AIM interface can be on the same subnet. That subnet needs to be different from the one used by any data interfaces on the ASA.
Please have a look at this configuration guide for much more detail and illustrations:
10-15-2020 01:48 AM
Hi!
do you know the commands i should type to give interface ips and dns?
10-15-2020 11:40 AM
Session to the module and type "setup" (without quotes).
Reference:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide