cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1094
Views
0
Helpful
4
Replies

Hi

mohammedhabib
Level 1
Level 1

Hello i have a problem i dont know whats going on ,

i have 5555-x ips ssp , the initial configuration has been done and i can see that the ip address is the same subnet as the inside interface of the firewall , still i can not ping the ips from the network of access it from the web interface. the managment interface connected to the network here are the config.

ASA Version 8.6(1)2

!

hostname STCFW

domain-name seu.net

enable password pyAlZEs.R9HXocav encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 2.2.2.2 255.255.255.

!

interface GigabitEthernet0/1

no nameif

security-level 100

no ip address

!

interface GigabitEthernet0/1.60

vlan 60

nameif inside

security-level 100

ip address 10.0.60.10 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

description LAN Failover Interface

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name seu.net

object network PAT

host 2.2.2.2

object network Inside

range 10.0.0.0 255.255.255.0

access-list 101 extended permit ip any any

access-list any extended permit ip any any

pager lines 24

logging asdm informational

logging host inside 10.1.20.12

mtu outside 1500

mtu inside 1500

mtu management 1500

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/4

failover polltime unit 1 holdtime 3

failover key *****

failover interface ip failover 10.0.61.1 255.255.255.0 standby 10.0.61.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

!

object network Inside

nat (inside,outside) dynamic pat-pool interface dns

access-group any in interface outside

route outside 0.0.0.0 0.0.0.0 2.2.2.2 1

route inside 10.0.0.0 255.0.0.0 10.0.60.1 1

route inside 10.1.72.0 255.255.255.0 10.0.60.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.1.20.12 255.255.255.255 inside

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 15

console timeout 0

!

tls-proxy maximum-session 1000

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

username seu password ev3A2EZ.qpv5wwM6 encrypted

username cisco password yYLyBrxx5SXkticB encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:f8b62a75b25a0d034884fb3cc979ea45

: end

STCFW#

IPS:

B-IPS-Active# sh configuration

! ------------------------------

! Current configuration last modified Tue Oct 23 07:18:05 2012

! ------------------------------

! Version 7.1(4)

! Host:

!     Realm Keys          key1.0

! Signature Definition:

!     Signature Update    S615.0   2012-01-03

! ------------------------------

service interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 10.0.60.9/24,10.0.60.1

host-name B-IPS-Active

telnet-option enabled

access-list 10.0.0.0/24

dns-primary-server disabled

dns-secondary-server disabled

dns-tertiary-server disabled

exit

time-zone-settings

offset 0

standard-time-zone-name UTC

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

exit

! ------------------------------

service analysis-engine

exit

B-IPS-Active#

the ips can not ping anything even the GW

please assist

1 Accepted Solution

Accepted Solutions

Hello Mohammed,

Could be a layer 2 problem.

Let me send you what needs to be done to make this happen:

Best practice for setup for IPS and ASA management

  1. IPS and ASA management cannot both be accessed through the Management 0/0 interface.
  2. No nameif is assigned to the ASA Management 0/0 interface. ASA management is accessed on traffic bearing interfaces.
  3. The IPS is given an IP address reachable from the “inside” nameif.
  4. Access from the “inside” occurs through either switching or routing, without involving the ASA.
  5. In order to allow management from the outside, create a static NAT translation for the sensor IP address or define port forwarding to the appropriate port (port redirection is used in this example).

In this scenario, the IPS management communications to the outside network behaves similar to any other host on the inside network. This is used for signature updates, Global Correlation and IPS Service License requests.

ips-config-mod-01.gif

Configuration:

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.3.1 255.255.0.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
interface Management0/0
 no nameif
 security-level 0
 management-only
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network IPS-management
 host 192.168.1.2
object network ASA-inside
 host 192.168.1.1
object-group service HTTP
 service-object tcp-udp destination eq www
 service-object tcp destination eq https
access-list global_access extended permit ip any any
access-list global_access_1 remark Allow IPS management out through to the internet.
access-list global_access_1 extended permit object-group HTTP object IPS-management any

 nat (inside,outside) source dynamic IPS-management IPS-management interface

static (outside,inside) TCP 192.168.3.1 65432 192.168.1.2 https  netmask  255.255.255.255
! Use of an ephemeral port allows for the use of common ports for other network applications.  
This also conceals the actual management port by making it not well known.
 
ASA# show module ips details | include Mgmt
 
Mgmt IP addr:       192.168.1.2
Mgmt Network mask:  255.255.255.0
Mgmt Gateway:       192.168.1.1
Mgmt Access List:   0.0.0.0/0
Mgmt web ports:     443
Mgmt TLS enabled:   true

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Mohammed,

Please do the following:

interface Management0/0

no nameif management

security-level 100

no ip address

management-only

Also set on the IPS the default gateway to be the inside interface of the ASA.

Then give it a try,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi ,

still i am unable to reach the IPS SSP (ping,http or https), here are the configration

interface Management0/0

no nameif

security-level 100

no ip address

management-only

Card Type:          ASA 5555-X IPS Security Services Processor

Model:              ASA5555-IPS

Hardware version:   N/A

Serial Number:      FCH1629797V

Firmware version:   N/A

Software version:   7.1(4)E4

MAC Address Range:  d48c.b54e.514e to d48c.b54e.514e

App. name:          IPS

App. Status:        Up

App. Status Desc:   Normal Operation

App. version:       7.1(4)E4

Data Plane Status:  Up

Status:             Up

License:            IPS Module  Enabled  perpetual

Mgmt IP addr:       10.0.60.9   

Mgmt Network mask:  255.255.255.0

Mgmt Gateway:       10.0.60.10 ===> this is the ASA inside interface

Mgmt Access List:   0.0.0.0/0

Mgmt Access List:   10.0.0.0/24

Mgmt web ports:     443

Mgmt TLS enabled:   true

if any one has configured this IPS SSP before please share your config.

mohammedhabib
Level 1
Level 1

Hello ,

so far i can use the direct connection to the MNG interface and this was success , but when i connect the MNG interface to a switch Layer2 and connect my PC to the other port in the switch , i can not ping the MNG interface .

i think there is some configuration should be done in the MNG interface

i am looking for it and if some one knows how to do it it will help alot . thanks

Hello Mohammed,

Could be a layer 2 problem.

Let me send you what needs to be done to make this happen:

Best practice for setup for IPS and ASA management

  1. IPS and ASA management cannot both be accessed through the Management 0/0 interface.
  2. No nameif is assigned to the ASA Management 0/0 interface. ASA management is accessed on traffic bearing interfaces.
  3. The IPS is given an IP address reachable from the “inside” nameif.
  4. Access from the “inside” occurs through either switching or routing, without involving the ASA.
  5. In order to allow management from the outside, create a static NAT translation for the sensor IP address or define port forwarding to the appropriate port (port redirection is used in this example).

In this scenario, the IPS management communications to the outside network behaves similar to any other host on the inside network. This is used for signature updates, Global Correlation and IPS Service License requests.

ips-config-mod-01.gif

Configuration:

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.3.1 255.255.0.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
interface Management0/0
 no nameif
 security-level 0
 management-only
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network IPS-management
 host 192.168.1.2
object network ASA-inside
 host 192.168.1.1
object-group service HTTP
 service-object tcp-udp destination eq www
 service-object tcp destination eq https
access-list global_access extended permit ip any any
access-list global_access_1 remark Allow IPS management out through to the internet.
access-list global_access_1 extended permit object-group HTTP object IPS-management any

 nat (inside,outside) source dynamic IPS-management IPS-management interface

static (outside,inside) TCP 192.168.3.1 65432 192.168.1.2 https  netmask  255.255.255.255
! Use of an ephemeral port allows for the use of common ports for other network applications.  
This also conceals the actual management port by making it not well known.
 
ASA# show module ips details | include Mgmt
 
Mgmt IP addr:       192.168.1.2
Mgmt Network mask:  255.255.255.0
Mgmt Gateway:       192.168.1.1
Mgmt Access List:   0.0.0.0/0
Mgmt web ports:     443
Mgmt TLS enabled:   true

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card