02-01-2012 02:18 AM - edited 03-10-2019 05:36 AM
I have an ASA 5510 which is configured and working fine. I'm now tasked with configuing an SSM (remotely).
In the ASDM, when I click IPS I'm asked for the management port IP. Is this the same management port IP used to configure the rest of the firewall or one pertaining just to the SSM? If I enter the IP of the firewall management port then I get a username/password prompt. I've tried cisco/cisco, blank/blank, cisco/blank, blank/cisco etc. No joy. It hasn't been used before.
The documentation says to plug one end of the yellow ethernet cable into the SSM and one to "your network device". What network device?
The documentation indicates that in ASDM, under Interfaces I should have 4GE SSM. I don't. I only have three ethernet ports and a management port. Does this mean that I don't have what I'm told I have, or that I have to do something else first.
Can it be configured from the ASDM?
Muchly confused.
02-01-2012 04:42 AM
Hey Tony
Think of the SSM as having two interfaces: the first connects directly to ASA and is its inline sensing/monitoring port. The other interface is its management interface, and needs to connect to "your network device" - i.e. most likely the switch that your ASA is connected to. That IPS managment interface is a totally different IP address than what's on your ASA. The IPS unit is effectively piggy-backing inside of the ASA for power and for the traffic that it needs to monitor.
That said, there is a back-door into the IPS from the ASA CLI, and that's how I would recommend boot-strapping the IPS unit. SSH into your ASA, then do:
YOURASA# show module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5510 Adaptive Security Appliance ASA5510
1 ASA 5500 Series Security Services Module-10 ASA-SSM-10
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0
1
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 7.0(6)E4
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Up Up
Now do a "session 1" in order to get into the IPS unit (host name, managment IP address, default gateway etc). Default should be cisco/cisco. That IP address will need to be accessible via the switchport that you connect your yellow cable to.
After that, you'll need to configure a service-policy on the ASA (via ASDM) to 'send' traffic to that inline sensing/monitoring port. You can either do that in IDS (passive-only) mode to start (recommended) and once you're comfortable, change that to IPS mode so you can start dropping traffic.
I suggest using IME (Cisco IPS Manager Express) for configuring the IPS unit. Its free, supports up to 10 devices, and has better reporting and the same level of configuration. If you're going to have more than 5 or 10 IPS units consider CSM (Cisco Security Manager) so you can do "group policy" and have a shared signature set for all devices.
Check out the ASA documentation first. Start here:
http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html
(Please rate the comment if this has been helpful.)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide