Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
5
Helpful
13
Replies

Unable to run IPS module from ASA inside interface

mudasir05
Level 1
Level 1

‎04-20-2016 05:08 AM - edited ‎03-12-2019 12:38 AM

Hello All,

I tried to run IPS IDM of my ASA 5545 from the inside interface however its not.....its saying "problem loading sensor"

Also i am able to access IPS from the command line but not through the IDM.

Any help would be highly appreciated.

 

Thanks

Labels:
0 Helpful
13 Replies 13

Philip D'Ath
VIP Alumni
VIP Alumni

‎04-21-2016 01:48 AM

The IPS module uses the management interface on the ASA.  Have you definitely got this plugged in?

0 Helpful

mudasir05
Level 1
Level 1
In response to Philip D'Ath

‎04-21-2016 02:54 AM

Hello Philip,

Actually the case is that i am using my ASDM via the inside interface of the ASA,so i want to access the IPS module using the same interface....my management interface is not connected to anything..

thanks

0 Helpful

Kornelia Gutierrez
Level 1
Level 1
In response to mudasir05

‎04-21-2016 07:25 AM

Hello,

If you want to access the IPS using an ip address on the same range of the inside interface of the ASA, you will need to configure the IPS with an ip address on the inside range and connect the management interface of the ASA to the same switch that the inside interface is connected to, turn on the management interface by issuing the no shutdown command, but do not configure on the management interface nameif, security level and ip address.

Hope this helps...

0 Helpful

mudasir05
Level 1
Level 1
In response to Kornelia Gutierrez

‎04-25-2016 07:47 AM

Hello,

I configured the IPS with the same ip address as on the inside range and connected the management interface to the same switch with no nameif,security level and ip address.,

however i am still not able to connect to the IPS saying

"error connecting to the Sensor..error loading sensor"

Thanks

0 Helpful

mudasir05
Level 1
Level 1
In response to mudasir05

‎04-25-2016 07:55 AM

i can however access the IPS from the command line via ASA using session command. from IPS i cannot next hop which is ASA firewall itself.... ASA_IPS# ping 192.168.5.1 PING 192.168.5.1 (192.168.5.1): 56 data bytes --- 192.168.5.1 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss thanks
0 Helpful

Marius Gunnerud
VIP
VIP
In response to mudasir05

‎04-25-2016 08:12 AM

You will always be able to access the IPS from the ASA using session as it is like a console access.  

I think you have forgotten to add the allowed subnet / IP to access the IPS in the configuration.

conf t

service host

network

access-list xxx.xxx.xxx.xxx/yy

replace the x's with the actual IP or subnet you are managing the IPS from and replace the /yy with the subnet mask you are using.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mudasir05
Level 1
Level 1
In response to Marius Gunnerud

‎04-25-2016 08:49 AM

Hello All,

Do i need to configure this on ASA?
Also let me know use of the Service host command?

Thanks

0 Helpful

Marius Gunnerud
VIP
VIP
In response to mudasir05

‎04-25-2016 08:58 AM

This is done on the IPS .

The service host command is the command to get into the section where you configure management of the IPS, hostname, NTP, etc.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mudasir05
Level 1
Level 1
In response to Marius Gunnerud

‎04-25-2016 09:54 AM

Hello,

This is already done by me.....i allowed the subnet as well in the access-list.

Still dont know where i am going wrong...

as i told you i am not able to ping next hop from the IPS.

Thanks

0 Helpful

Marius Gunnerud
VIP
VIP
In response to mudasir05

‎04-25-2016 10:17 AM

Could you provide the full configuration of the ASA please.

show configuration

Also, have you placed the switchport the management interface is connected to in the correct VLAN?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mudasir05
Level 1
Level 1
In response to Marius Gunnerud

‎04-25-2016 11:45 PM

Hello Marius,

Sorry to say can't post whole config as this is our production firewall...

let me know if you need some specific outputs...

Thanks

0 Helpful

Marius Gunnerud
VIP
VIP
In response to mudasir05

‎05-02-2016 04:51 AM

Can you confirm that you have the management interface connected to the network please.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Marius Gunnerud
VIP
VIP
In response to mudasir05

‎04-21-2016 08:29 AM

As it has been mentioned by other posters, IPS can only be managed via the management interface on the ASA so you MUST connect the management interface to the network, as well as configure the IPS with a management IP.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card