04-04-2008 02:38 PM - edited 03-10-2019 04:03 AM
I am having a challenging time upgrading the ASA SSM-10 IPS module. I down loaded the IPS-sig-s327-req-e1.pkg to Win XP ftp server (my workstation). The instructions in following does not work: http://download-sj.cisco.com/cisco/ciscosecure/ips/6.x/sigup/IPS-sig-S327.readme.txt
"error: execUpgradeSoftware : Connect failed". Any suggestion would be appreciated.
Solved! Go to Solution.
04-06-2008 07:48 PM
Also, were you able to update your signature??
04-04-2008 02:48 PM
My suggestion to you would be this: Use the IDM provided with the system. It is a lot easier for people unfamiliar with the IPS in CLI mode.
You can access this device via a webpage, "https://"IPADDRESS" and modify it like this. I do have to point out that the IPS limits this connectivity out of the box. You'll want to modify this access-list to include the IP address you're connecting from. Also, you'll want to ensure the HTTPS Service is enabled, and on port 443 for ease of use. All of this will need to happen initially in the CLI.
Once you're in the IDM you'll want to select
"Configuration". From here scroll down to the update section. You'll select "update is located on this client" and you're golden. You can simply upload your latest signature from the XP machine.
04-06-2008 08:07 AM
I can connect the LAN switch directly to the inside interface of the ASA5510 firewall. Hosts can get Internet connectivity while cabled to the switch. However, when the LAN switch is connected to the port on the IPS module, there is no Internet connectivity. Any suggestions would be appreciated. The following is the sh configuration and sh int output.
sh con_[Jfiguration
Version 5.1(6)
! Current configuration last modified Sat Apr 05 12:28:11 2008
! ------------------------------
service interface
exit
! ------------------------------
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 192.168.1.36/24,192.168.1.10
host-name ips
telnet-option enabled
--MORE--
access-list 0.0.0.0/0
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
--MORE--
exit
! ------------------------------
service web-server
exit
ips# sh inter_[Jfaces _[2C
Interface Statistics
Total Packets Received = 6806
Total Bytes Received = 2001784
Missed Packet Percentage = 0
Current Bypass Mode = Auto_off
MAC statistics from interface GigabitEthernet0/1
Interface function = Sensing interface
Description =
Media Type = backplane
Missed Packet Percentage = 0
Inline Mode = Unpaired
Pair Status = N/A
Link Status = Up
Link Speed = Auto_1000
Link Duplex = Auto_Full
Total Packets Received = 6807
Total Bytes Received = 2001866
Total Multicast Packets Received = 0
Total Broadcast Packets Received = 0
Total Jumbo Packets Received = 0
Total Undersize Packets Received = 0
Total Receive Errors = 0
Total Receive FIFO Overruns = 0
Total Packets Transmitted = 6807
--MORE--
Total Bytes Transmitted = 2017118
Total Multicast Packets Transmitted = 0
Total Broadcast Packets Transmitted = 0
Total Jumbo Packets Transmitted = 0
Total Undersize Packets Transmitted = 0
Total Transmit Errors = 0
Total Transmit FIFO Overruns = 0
MAC statistics from interface GigabitEthernet0/0
Interface function = Command-control interface
Description =
Media Type = TX
Link Status = Down
Link Speed = N/A
Link Duplex = N/A
Total Packets Received = 126
Total Bytes Received = 14255
Total Multicast Packets Received = 0
Total Receive Errors = 0
Total Receive FIFO Overruns = 0
Total Packets Transmitted = 1
Total Bytes Transmitted = 64
Total Transmit Errors = 0
Total Transmit FIFO Overruns = 0
04-06-2008 07:47 PM
I'm not to sure what you mean by "connected to the port on the IPS." The port on your SSM is merely a management port. It is not anything that would interfere with network connectivity.
Please advise on your cabling. You should still connect up as you would normally. Here is how a config of the asa should look like:
hostname(config)# access-list IPS permit ip any any
hostname(config)# class-map my-ips-class
hostname(config-cmap)# match access-list IPS
hostname(config-cmap)# policy-map my-ids-policy
hostname(config-pmap)# class my-ips-class
hostname(config-pmap-c)# ips inline fail-open
hostname(config-pmap-c)# service-policy my-ids-policy global ** Or whatever your main service policy is **
I took this directly from the CISCO AIP setup. http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSSM.html
I hope this is what you were needing. Please let us know if it is not.
04-06-2008 07:48 PM
Also, were you able to update your signature??
04-07-2008 01:21 PM
Yes, thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide