Solved: Configuring ASA 5520 to work with SSM-20 IPS module

wseyller · ‎02-04-2019

Using this equipment in my home lab for study purposes.

I attempted to follow instructions I have found to send the asa traffic to the ips module for inspection. I command is missing for me.

Commands I input on the asa:

access-list IPS extended permit ip any any

class-map IPS

match access-list IPS

policy-map global_policy

class IPS
ips inline fail-open

The last line under "class IPS" I see the "ips" comand but "inline" is not available.

These are the only options I have after "ips"

df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
security-association Set security association parameters

Output of: show modules

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5510 Adaptive Security Appliance ASA5510 JMX1211L128
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAF10450514

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 001e.f762.c01e to 001e.f762.c022 2.0 1.0(11)2 9.1(7)23
1 0019.0665.4b9d to 0019.0665.4b9d 1.0 1.0(11)2 7.0(2)E3

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
1 IPS Up 7.0(2)E3

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Up Up

Marvin Rhoads · ‎02-04-2019

I don't think the old style IPS is included on any of the current certification blueprints. It is past end-of-life.

You shouldn't spend too much time studying it.

That said, the commands you cited should be available. Here is the output from one of my ASAs:

asa-5512(config-pmap)# class-map IPS
asa-5512(config-cmap)# match any
asa-5512(config-cmap)# policy-map global_policy
asa-5512(config-pmap)#      class IPS          
asa-5512(config-pmap-c)# ?

MPF policy-map class configuration commands:
  cluster          Specify actions related to clustering
  csc              Content Security and Control service module
  cxsc             Send traffic to CXSC blade
  exit             Exit from MPF class action configuration mode
  flow-export      Configure filters for NetFlow events
  help             Help for MPF policy-map class/match submode commands
  inspect          Protocol inspection services
  ips              Intrusion prevention services
  no               Negate or set default values of a command
  police           Rate limit traffic for this class
  priority         Strict scheduling priority for this class
  quit             Exit from MPF class action configuration mode
  set              Set connection values
  sfr              Send traffic to SFR blade
  user-statistics  configure user statistics for identity firewall
asa-5512(config-pmap-c)# ips ?

mpf-policy-map-class mode commands/options:
  inline       Inline mode IPS
  promiscuous  Promiscuous mode IPS

configure mode commands/options:
  df-bit                Set IPsec DF policy
  fragmentation         Set IPsec fragmentation policy
  ikev1                 Set IKEv1 settings
  ikev2                 Set IKEv2 settings
  inner-routing-lookup  Enable IPsec inner routing lookup
  profile               Set ipsec profile settings
  security-association  Set security association parameters
asa-5512(config-pmap-c)# ips inline ?

mpf-policy-map-class mode commands/options:
  fail-close  Block traffic if IPS card fails
  fail-open   Permit traffic if IPS card fails
asa-5512(config-pmap-c)#

View solution in original post

Mohammed al Baqari · ‎02-04-2019

What is the problem. ?

Marvin Rhoads · ‎02-04-2019

I don't think the old style IPS is included on any of the current certification blueprints. It is past end-of-life.

You shouldn't spend too much time studying it.

That said, the commands you cited should be available. Here is the output from one of my ASAs:

asa-5512(config-pmap)# class-map IPS
asa-5512(config-cmap)# match any
asa-5512(config-cmap)# policy-map global_policy
asa-5512(config-pmap)#      class IPS          
asa-5512(config-pmap-c)# ?

MPF policy-map class configuration commands:
  cluster          Specify actions related to clustering
  csc              Content Security and Control service module
  cxsc             Send traffic to CXSC blade
  exit             Exit from MPF class action configuration mode
  flow-export      Configure filters for NetFlow events
  help             Help for MPF policy-map class/match submode commands
  inspect          Protocol inspection services
  ips              Intrusion prevention services
  no               Negate or set default values of a command
  police           Rate limit traffic for this class
  priority         Strict scheduling priority for this class
  quit             Exit from MPF class action configuration mode
  set              Set connection values
  sfr              Send traffic to SFR blade
  user-statistics  configure user statistics for identity firewall
asa-5512(config-pmap-c)# ips ?

mpf-policy-map-class mode commands/options:
  inline       Inline mode IPS
  promiscuous  Promiscuous mode IPS

configure mode commands/options:
  df-bit                Set IPsec DF policy
  fragmentation         Set IPsec fragmentation policy
  ikev1                 Set IKEv1 settings
  ikev2                 Set IKEv2 settings
  inner-routing-lookup  Enable IPsec inner routing lookup
  profile               Set ipsec profile settings
  security-association  Set security association parameters
asa-5512(config-pmap-c)# ips inline ?

mpf-policy-map-class mode commands/options:
  fail-close  Block traffic if IPS card fails
  fail-open   Permit traffic if IPS card fails
asa-5512(config-pmap-c)#

Ashish Jhaldiyal · ‎02-04-2019

You should see inline and promiscuous options under mpf-policy-map-class mode commands/options when you put an question mark after IPS.

wseyller · ‎02-04-2019

Well I just tried again and I do see it. I see they section it off and maybe I didn't see it before. I initially tried typing it in and it didn't work but maybe I typed it in wrong. I understand it is an older product but I would like to know more about it beside certification.

Thanks though for the help.

ASA(config)# policy-map global_policy
ASA(config-pmap)# class IPS
ASA(config-pmap-c)# ?

MPF policy-map class configuration commands:
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
user-statistics configure user statistics for identity firewall
<cr>
csc Content Security and Control service module
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
ips Intrusion prevention services
ASA(config-pmap-c)# ips ?

mpf-policy-map-class mode commands/options:
inline Inline mode IPS
promiscuous Promiscuous mode IPS

configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
security-association Set security association parameters
ASA(config-pmap-c)# ips

Configuring ASA 5520 to work with SSM-20 IPS module

ASA: service-module xx keepalive-timeout コマンドについて

CSC-SSM-20

ASA IPS 模块配置示例

Cisco ASA-SSM-20 Analysis Engine Error

ASA-AIP-SSM-20