07-31-2010 08:16 AM - edited 03-10-2019 05:04 AM
Hi All,
Kindly help me to configure IPS in ASA firewall.
1) How to divert the traffic to IPS
2) Getting alerts for attacks
3) how to read the signature
All the basic level configuration fo IPS required.
Regards,
M.K
Solved! Go to Solution.
07-31-2010 11:31 AM
M.K.
Below is a URL that covers the setup process of configuring the ASA to send traffic to the AIP-SSM module.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
Basically the commands from the ASA might look something like this is you wanted to send all the traffic to the AIP-SSM module for inspection and you wanted it to operate inline:
ciscoasa(config)#access-list traffic_for_ips permit ip any any
ciscoasa(config)#class-map ips_class_map
ciscoasa(config-cmap)#match access-list traffic_for_ips
ciscoasa(config)#policy-map global_policy
ciscoasa(config-pmap)#class ips_class_map
ciscoasa(config-pmap-c)#ips inline fail-open
cisocasa(config)# service-policy global_policy global
After the above is done you will need to session into the AIP-SSM module and run the setup command to get basic connectivity. Here is a link that covers this process:
http://www.cisco.com/en/US/docs/security/ips/6.2/installation/guide/hw_initializing.html#wp1233606
The command to session into the AIP-SSM is as follows:
session 1
Once you have the basic configuration setup you can then access the AIP-SSM via IDM by going to https://1.1.1.1. In this example replace the 1.1.1.1 with the IP address of the management interface that you configured under the "setup" command. You can also download and use IME (IPS Manager Express). IME is avaliable for download from Cisco with a valid CCO account. I would recommend to use IME as it has several advantages over IDM.
Once in IME you will need to associate the backplane interface with the virtual sensor. You can do this in IME by going to Configuration->Policies->IPS Policies and on the right had side next to "Add virtual Sensor" highlight vs0 and click edit. You can then assign the Gigabit Ethernet0/1 (Backplane Interface) to the virtual sensor. Click on Ok and then click on APPLY.
At this point you should be inspecting traffic.
With IME you can do some historical reporting and setup to be notified via email for certain events. Here is some additional information on IME:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5715/ps9610/data_sheet_c78-459033.html
To setup email notification from IME go to Tools->Preferences->Notification.
For any signatures that fire you can find additional details about the specific signatures from within IME by going to Configuration->Policies->Signature Definitions->Active Signatures and highlighting a signature and looking at the MySDM Explanation in the lower right of the IME screen. Alternatively you can also go to the following URL and lookup any specific signatures:
http://tools.cisco.com/security/center/home.x
There is also an "Initial Configuration of the AIP-SSM Sensor (Video)" in this suppport forum that you might find beneficial. Hopefully this URL will get you to it https://supportforums.cisco.com/docs/DOC-12233
I hope the above helps!
Thanks,
Justin T.
07-31-2010 11:31 AM
M.K.
Below is a URL that covers the setup process of configuring the ASA to send traffic to the AIP-SSM module.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
Basically the commands from the ASA might look something like this is you wanted to send all the traffic to the AIP-SSM module for inspection and you wanted it to operate inline:
ciscoasa(config)#access-list traffic_for_ips permit ip any any
ciscoasa(config)#class-map ips_class_map
ciscoasa(config-cmap)#match access-list traffic_for_ips
ciscoasa(config)#policy-map global_policy
ciscoasa(config-pmap)#class ips_class_map
ciscoasa(config-pmap-c)#ips inline fail-open
cisocasa(config)# service-policy global_policy global
After the above is done you will need to session into the AIP-SSM module and run the setup command to get basic connectivity. Here is a link that covers this process:
http://www.cisco.com/en/US/docs/security/ips/6.2/installation/guide/hw_initializing.html#wp1233606
The command to session into the AIP-SSM is as follows:
session 1
Once you have the basic configuration setup you can then access the AIP-SSM via IDM by going to https://1.1.1.1. In this example replace the 1.1.1.1 with the IP address of the management interface that you configured under the "setup" command. You can also download and use IME (IPS Manager Express). IME is avaliable for download from Cisco with a valid CCO account. I would recommend to use IME as it has several advantages over IDM.
Once in IME you will need to associate the backplane interface with the virtual sensor. You can do this in IME by going to Configuration->Policies->IPS Policies and on the right had side next to "Add virtual Sensor" highlight vs0 and click edit. You can then assign the Gigabit Ethernet0/1 (Backplane Interface) to the virtual sensor. Click on Ok and then click on APPLY.
At this point you should be inspecting traffic.
With IME you can do some historical reporting and setup to be notified via email for certain events. Here is some additional information on IME:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5715/ps9610/data_sheet_c78-459033.html
To setup email notification from IME go to Tools->Preferences->Notification.
For any signatures that fire you can find additional details about the specific signatures from within IME by going to Configuration->Policies->Signature Definitions->Active Signatures and highlighting a signature and looking at the MySDM Explanation in the lower right of the IME screen. Alternatively you can also go to the following URL and lookup any specific signatures:
http://tools.cisco.com/security/center/home.x
There is also an "Initial Configuration of the AIP-SSM Sensor (Video)" in this suppport forum that you might find beneficial. Hopefully this URL will get you to it https://supportforums.cisco.com/docs/DOC-12233
I hope the above helps!
Thanks,
Justin T.
03-18-2013 07:22 AM
Excellent post - many thanks
Tony
03-19-2013 11:33 PM
Hello Justin,
What an amazing answer,
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide