07-07-2011 01:57 AM - edited 03-10-2019 05:24 AM
Hi experts, I'm very new to ASA5520 configuration (I use ASDM GUI mainly) Here's my problem as clearly as I can explain it::
I can access ASDM for the firewall management via VPN, but I cannot access the IPS tab to manage the SSM-10 module. I always get a message stating :"Error connecting to sensor. Error Loading Sensor".
If I SSH to the ASA, I can do "asa# session 1" to access the SSM, so I know it's there and up.
What I am trying to achieve ultimately is this : administrate the whole ASA via a VPN connection coming from the WAN.
The only way I managed to get access to the IPS tab was by having the ASA's management port, the SSM's management port and my PC all connected on the same switch. This won't work in my production environment since it's off-site.
So what I need to know is:
1- How should the network cables be physically connected once in production? Is there a way to manage the IPS with ASDM using the internal backplane or do I absolutely need to have the IPS's management port connected to some other ASA's port via a router. If so, which port (management or another)? My VPN connection will come from the WAN.
2- What IP address should the IPS use if my VPN address pool is 172.16.1.100-199 ?
3- What should be my Management Access Interface? Right now it's the "management" port.
4- Any specific firewall rules need to access the IPS?
Hope you can help me. If you need more details, just let me know.
dstj.
-----------------------
Here is my ASA port configuration :
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/3
nameif corpo
security-level 75
ip address 192.168.30.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
Here is the IPS current configuration (got via SSH):
service host
network-settings
host-ip 192.168.1.2/24,192.168.1.1
host-name sensor
telnet-option disabled
access-list 172.16.1.0/24
access-list 192.168.1.0/24
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
exit
...
service web-server
port 443
exit
07-07-2011 03:54 AM
1 - No, you can't use the backplane of the ASA to manage the IPS. Even if you are managing it through the ASDM, essentially the ASDM just give you link to the IDM from your PC ip address. You would need to manage the IPS via the management port which should be connected to your network. Since your ASA management0/0 is configured with "management-only", you can't use that same subnet to manage the IPS because the management interface does not pass through traffic but only terminate traffic on that interface for management. If you would like to use the same subnet to manage both the ASA and the IPS, then you would need to disable "management-only" on ASA management0/0 interface
2 - Yes, you would need to allow your VPN pool subnet on the IPS if you would like to manage it via VPN.
3 - On IPS module, the only way you can manage it is via that port on the module, currently with ip address 192.168.1.2, and can only be managed via that port.
4 - Not really, the same way as you access any other hosts connected to the same subnet.
Hope that helps.
06-04-2013 02:35 AM
I had the same problem.
My device is Cisco ASA 5520 with AIP SSM-10.
I can use ASDM to manage ASA 5520 but cannot login to IPS (in IPS or Intrusion Prevension tab). It show me the error "Error connecting sensor. Error loading sensor".
I try to reset, reload and unplug/plug the module but it don't work.
This my ASA configuration:
ASA-FW# show run
: Saved
:
ASA Version 8.4(4)1
!
hostname ASA-FW
enable password Uonv5zOz/3IVv5nJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Connect to Internet
nameif outside
security-level 0
ip address 10.0.0.4 255.255.255.0
!
interface GigabitEthernet0/1
description Connect to DMZ
nameif inside
security-level 100
ip address 10.2.2.2 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
nameif DMZ
security-level 50
ip address 10.3.3.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Management
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq smtp
access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq www
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq telnet
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list acl_outside_in extended permit icmp any host 10.0.0.0
access-list acl_inside_in extended permit ip 10.2.2.0 255.255.255.0 any
access-list acl_dmz_in extended permit icmp 10.3.3.0 255.255.255.0 any
access-list traffic_for_ips extended permit ip any any
pager lines 24
logging enable
logging buffer-size 5000
logging monitor warnings
logging trap warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
access-group acl_outside_in in interface outside
access-group acl_inside_in in interface inside
access-group acl_dmz_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 DMZ
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
.....
quit
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username tanhs password fqvYQWcKVO/db.2r encrypted
!
class-map inspection_default
match default-inspection-traffic
class-map ips_class_map
match access-list traffic_for_ips
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class ips_class_map
ips inline fail-open
!
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:74d15883f42aaeee6ac30522fe424aeb
: end
ASA-FW#
This is SSM confiuration:
AIP-SSM# show conf
! ------------------------------
! Current configuration last modified Tue Jun 04 00:34:02 2013
! ------------------------------
! Version 7.0(2)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S480.0 2010-03-24
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
variables DMZ address 10.3.3.0-10.3.3.255
variables IN address 10.2.2.0-10.2.2.255
exit
! ------------------------------
service host
network-settings
host-ip 192.168.1.2/24,192.168.1.1
host-name AIP-SSM
telnet-option disabled
access-list 10.0.0.0/8
access-list 10.1.1.0/24
access-list 10.2.2.0/24
access-list 10.3.3.0/24
access-list 172.16.0.0/16
access-list 192.168.1.0/24
login-banner-text VISEC IDS/IPS
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy no-proxy
exit
time-zone-settings
offset 0
standard-time-zone-name CST
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
signatures 2000 0
alert-severity high
engine atomic-ip
event-action produce-alert|produce-verbose-alert
exit
alert-frequency
summary-mode fire-all
summary-key AxBx
exit
exit
status
enabled true
exit
exit
signatures 2004 0
alert-severity high
engine atomic-ip
event-action produce-alert|produce-verbose-alert
exit
alert-frequency
summary-mode fire-all
summary-key AxBx
exit
exit
status
enabled true
exit
exit
signatures 60000 0
alert-severity high
sig-fidelity-rating 75
sig-description
sig-name Telnet Command Authorization Failure
sig-string-info Command authorization failed
sig-comment signature triggers string command authorization failed
exit
engine atomic-ip
specify-l4-protocol yes
l4-protocol tcp
no tcp-flags
no tcp-mask
exit
specify-payload-inspection yes
regex-string Command authorization failed
exit
exit
exit
exit
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
enable-tls true
port 443
server-id Nothing to see here. Move along.
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit
AIP-SSM#
Could anyone help me?
Thanks in advanced.
06-04-2013 12:11 PM
Can you ping the IPS's IP from the ASA?
Do the ACLs on the sensor allow the ASA's network?
Is the module in an "UP" state?
06-04-2013 06:09 PM
This's my setting:
access-list 192.168.1.0/24
I access ASA from 192.168.1.1 but I cannot ping the IPS's IP from ASA:
ASA-FW# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA-FW# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
This's IPS state:
ASA-FW# show module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5520 Adaptive Security Appliance ASA5520 JMX1645X028
1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 JAD164401AY
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 d48c.b5c9.7381 to d48c.b5c9.7385 2.0 1.0(11)5 8.4(4)1
1 30f7.0d3c.5faa to 30f7.0d3c.5faa 1.0 1.0(11)5 7.0(2)E4
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 7.0(2)E4
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Up Up
ASA-FW#
and...
ASA-FW# show module 1 detail
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module-10
Model: ASA-SSM-10
Hardware version: 1.0
Serial Number: JAD164401AY
Firmware version: 1.0(11)5
Software version: 7.0(2)E4
MAC Address Range: 30f7.0d3c.5faa to 30f7.0d3c.5faa
App. name: IPS
App. Status: Up
App. Status Desc:
App. version: 7.0(2)E4
Data plane Status: Up
Status: Up
Mgmt IP addr: 192.168.1.2
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 192.168.1.1
Mgmt Access List: 10.0.0.0/8
Mgmt Access List: 10.1.1.0/24
Mgmt Access List: 10.2.2.0/24
Mgmt Access List: 10.3.3.0/24
Mgmt Access List: 172.16.0.0/16
Mgmt Access List: 192.168.1.0/24
Mgmt Access List: 192.168.1.1/32
Mgmt web ports: 443
Mgmt TLS enabled: true
ASA-FW#
Can you show me how to set ACL on IPS or solution for this?
06-04-2013 06:15 PM
The problem is with the communication between the units.
Can you ping the ASA from the module?
Can you check the device that connects them and make sure it's properly configured?
06-04-2013 06:26 PM
Thank you for your quick reply.
I cannot ping ASA from IPS.
I check the module, unplag and re plag, the LED lights are OK.
Can you tell me something to do next?
I follow this intrussion: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
06-04-2013 07:29 PM
Can you confirm that the two devices, the module and the asa [inside interface] are connected to the same switch, assuming it's a switch, and confirm that they are both on the same vlan?
06-04-2013 08:52 PM
This's exactly my problem. I didn't connect to both ASA and SSM management ports, but connected to one of them only.
Thank you for your advice.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide