Showing results for 
Search instead for 
Did you mean: 


Need Help Setting up AIP SSM

I am currently configuring an AIP SSM module on an ASA, and I would like to know which interface IP address should be used for the management interface.  Should it be the outside interface of the ASA or the inside interface of the ASA?

Jennifer Halim
Cisco Employee

Majority of the times, you would be managing the module from your internal network, hence most people configure the management interface with ip address from the inside network.

Hope that helps.

I also will be setting up the AIP SSM on two ASA's running Active/Standby, so I would like to know if I have to doing any configurations on the Standby.  Or when I saved the configuration on the Active, will the AIP SSM configuration replicate to the Standby ASA?

No, you would need to manually configure both AIP module as the failover configuration synchronization is only for the ASA, not for the module.

You would need to configure unique/different ip address for each of the AIP module.

Hope that helps.

Is it best to setup the AIP SSM using the IME or just from co

mmand line?  Also, where can I get info on

how to use the IME to provision the AIP SSM on the ASA?

you won't be able to use IME to provision the AIP. Session into the module from the ASA, then run the "setup" command, and it will run you through the basic network connectivity setup. Once you have the ip address configured, you can use IME to manage the module.

Is it possible to add the license and upgrade AIP SSM from the IME?  Or do those have to be done from the CLI?

License and upgrade can be done through IME.

Here is the documentation guide for IME for your reference:

I really appreciate your answers.  But one last question,

please point me to where I can get the syntax to setup Auto Update.

Please let me know how to configure the AIP SSM to monitor

Remote VPN Traffic.

When you configured the ASA to send the traffic towards the AIP module to be inspected, you can configure specific ACL for traffic that you would like to inspect, or otherwise, you can just configure "permit ip any any" ACL to inspect everything going through the ASA.