I have been trying to find this information somewhere with no luck. I am new to the IPS modules with Cisco and need to install and configure two AIM-SSM-10 modules in my company's ASA 5520s. What I would like to do is set them up in promiscuous mode and just observe the traffic. What I can't find out for sure is whether or not promiscuous mode alters the traffic in anyway. By the sounds of it the SSM module can create ACLs on the fly and apply them to the ASA. Basically I just want to know what the default behaviour is and whether or not I need to make any special configuration to allow it to passively monitor the traffic flow?
Those modules support promiscious mode. Here's a sample configureation you need to put on your ASA (note the ips promiscuous fail-close). from teh config guide at:
The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic should the AIP SSM card fail for any reason:
hostname(config)# access-list IPS permit ip any any
hostname(config)# class-map my-ips-class
hostname(config-cmap)# match access-list IPS
hostname(config-cmap)# policy-map my-ids-policy
hostname(config-pmap)# class my-ips-class
hostname(config-pmap-c)# ips promiscuous fail-close
hostname(config-pmap-c)# service-policy my-ips-policy global
Thanks for the reply. I do understand the concept of getting the traffic to the IPS modules but my main concern is what happens after. The documentation alludes to the fact that the modules can create ACLs and block traffic, they just can't block single packet attacks and other attacks that happen too quickly for the IPS modules to respond.
I just want to know if there is a risk of traffic being dropped when I configure promiscuous mode on my ASA?
In promiscous mode no traffic will get blocked by default. The function you are refferig to has to be configured in the IPS to block traffic on a firewall or on a router. If you don't configure blocking, the IPS will only alarm you if attacks are recognized.
Sent from Cisco Technical Support iPad App