cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1007
Views
0
Helpful
3
Replies
Highlighted

Promiscuous mode AIM-SSM-10

Hi all,

I have been trying to find this information somewhere with no luck.  I am new to the IPS modules with Cisco and need to install and configure two AIM-SSM-10 modules in my company's ASA 5520s.  What I would like to do is set them up in promiscuous mode and just observe the traffic.  What I can't find out for sure is whether or not promiscuous mode alters the traffic in anyway.  By the sounds of it the SSM module can create ACLs on the fly and apply them to the ASA.  Basically I just want to know what the default behaviour is and whether or not I need to make any special configuration to allow it to passively monitor the traffic flow?

Thanks,

Jeff

3 REPLIES 3
Highlighted
Rising star

Jeff -

Those modules support promiscious mode. Here's a sample configureation you need to put on your ASA (note the ips promiscuous fail-close). from teh config guide at:

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/ssm.html#wp1050693

The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic should the AIP SSM card fail for any reason:

hostname(config)# access-list IPS permit ip any any

hostname(config)# class-map my-ips-class

hostname(config-cmap)# match access-list IPS

hostname(config-cmap)# policy-map my-ids-policy

hostname(config-pmap)# class my-ips-class

hostname(config-pmap-c)# ips promiscuous fail-close

hostname(config-pmap-c)# service-policy my-ips-policy global


- Bob

Highlighted

Hi Bob,

Thanks for the reply.  I do understand the concept of getting the traffic to the IPS modules but my main concern is what happens after.  The documentation alludes to the fact that the modules can create ACLs and block traffic, they just can't block single packet attacks and other attacks that happen too quickly for the IPS modules to respond.

I just want to know if there is a risk of traffic being dropped when I configure promiscuous mode on my ASA?

Thanks,

Jeff

Highlighted

In promiscous mode no traffic will get blocked by default. The function you are refferig to has to be configured in the IPS to block traffic on a firewall or on a router. If you don't configure blocking, the IPS will only alarm you if attacks are recognized.

Sent from Cisco Technical Support iPad App

Content for Community-Ad