Use ASDM to manage IPS SSM-10 on ASA5520

thiago.tomen · ‎07-07-2011

Hi experts, I'm very new to ASA5520 configuration (I use ASDM GUI mainly) Here's my problem as clearly as I can explain it::

I can access ASDM for the firewall management via VPN, but I cannot access the IPS tab to manage the SSM-10 module. I always get a message stating :"Error connecting to sensor. Error Loading Sensor".

If I SSH to the ASA, I can do "asa# session 1" to access the SSM, so I know it's there and up.

What I am trying to achieve ultimately is this : administrate the whole ASA via a VPN connection coming from the WAN.

The only way I managed to get access to the IPS tab was by having the ASA's management port, the SSM's management port and my PC all connected on the same switch. This won't work in my production environment since it's off-site.

So what I need to know is:

1- How should the network cables be physically connected once in production? Is there a way to manage the IPS with ASDM using the internal backplane or do I absolutely need to have the IPS's management port connected to some other ASA's port via a router. If so, which port (management or another)? My VPN connection will come from the WAN.

2- What IP address should the IPS use if my VPN address pool is 172.16.1.100-199 ?

3- What should be my Management Access Interface? Right now it's the "management" port.

4- Any specific firewall rules need to access the IPS?

Hope you can help me. If you need more details, just let me know.

dstj.

-----------------------

Here is my ASA port configuration :

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

nameif dmz

security-level 50

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Ethernet0/3

nameif corpo

security-level 75

ip address 192.168.30.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

Here is the IPS current configuration (got via SSH):

service host

network-settings

host-ip 192.168.1.2/24,192.168.1.1

host-name sensor

telnet-option disabled

access-list 172.16.1.0/24

access-list 192.168.1.0/24

exit

time-zone-settings

offset 0

standard-time-zone-name UTC

exit

...

service web-server

port 443

exit

Jennifer Halim · ‎07-07-2011

1 - No, you can't use the backplane of the ASA to manage the IPS. Even if you are managing it through the ASDM, essentially the ASDM just give you link to the IDM from your PC ip address. You would need to manage the IPS via the management port which should be connected to your network. Since your ASA management0/0 is configured with "management-only", you can't use that same subnet to manage the IPS because the management interface does not pass through traffic but only terminate traffic on that interface for management. If you would like to use the same subnet to manage both the ASA and the IPS, then you would need to disable "management-only" on ASA management0/0 interface

2 - Yes, you would need to allow your VPN pool subnet on the IPS if you would like to manage it via VPN.

3 - On IPS module, the only way you can manage it is via that port on the module, currently with ip address 192.168.1.2, and can only be managed via that port.

4 - Not really, the same way as you access any other hosts connected to the same subnet.

Hope that helps.

hosytan · ‎06-04-2013

I had the same problem.

My device is Cisco ASA 5520 with AIP SSM-10.

I can use ASDM to manage ASA 5520 but cannot login to IPS (in IPS or Intrusion Prevension tab). It show me the error "Error connecting sensor. Error loading sensor".

I try to reset, reload and unplug/plug the module but it don't work.

This my ASA configuration:

ASA-FW# show run

: Saved

:

ASA Version 8.4(4)1

!

hostname ASA-FW

enable password Uonv5zOz/3IVv5nJ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

description Connect to Internet

nameif outside

security-level 0

ip address 10.0.0.4 255.255.255.0

!

interface GigabitEthernet0/1

description Connect to DMZ

nameif inside

security-level 100

ip address 10.2.2.2 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

nameif DMZ

security-level 50

ip address 10.3.3.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Management

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq smtp

access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq www

access-list OUT-TO-DMZ extended permit icmp any any log

access-list OUT-TO-DMZ extended deny ip any any

access-list inside extended permit tcp any any eq pop3

access-list inside extended permit tcp any any eq smtp

access-list inside extended permit tcp any any eq ssh

access-list inside extended permit tcp any any eq telnet

access-list inside extended permit tcp any any eq https

access-list inside extended permit udp any any eq domain

access-list inside extended permit tcp any any eq domain

access-list inside extended permit tcp any any eq www

access-list inside extended permit ip any any

access-list inside extended permit icmp any any

access-list dmz extended permit ip any any

access-list dmz extended permit icmp any any

access-list acl_outside_in extended permit icmp any host 10.0.0.0

access-list acl_inside_in extended permit ip 10.2.2.0 255.255.255.0 any

access-list acl_dmz_in extended permit icmp 10.3.3.0 255.255.255.0 any

access-list traffic_for_ips extended permit ip any any

pager lines 24

logging enable

logging buffer-size 5000

logging monitor warnings

logging trap warnings

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

access-group acl_outside_in in interface outside

access-group acl_inside_in in interface inside

access-group acl_dmz_in in interface DMZ

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 DMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

.....

quit

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username tanhs password fqvYQWcKVO/db.2r encrypted

!

class-map inspection_default

match default-inspection-traffic

class-map ips_class_map

match access-list traffic_for_ips

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class ips_class_map

ips inline fail-open

!

service-policy global_policy global

prompt hostname context

service call-home

call-home reporting anonymous

call-home

contact-email-addr

profile CiscoTAC-1

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:74d15883f42aaeee6ac30522fe424aeb

: end

ASA-FW#

This is SSM confiuration:

AIP-SSM# show conf

! ------------------------------

! Current configuration last modified Tue Jun 04 00:34:02 2013

! ------------------------------

! Version 7.0(2)

! Host:

! Realm Keys key1.0

! Signature Definition:

! Signature Update S480.0 2010-03-24

! ------------------------------

service interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

variables DMZ address 10.3.3.0-10.3.3.255

variables IN address 10.2.2.0-10.2.2.255

exit

! ------------------------------

service host

network-settings

host-ip 192.168.1.2/24,192.168.1.1

host-name AIP-SSM

telnet-option disabled

access-list 10.0.0.0/8

access-list 10.1.1.0/24

access-list 10.2.2.0/24

access-list 10.3.3.0/24

access-list 172.16.0.0/16

access-list 192.168.1.0/24

login-banner-text VISEC IDS/IPS

dns-primary-server disabled

dns-secondary-server disabled

dns-tertiary-server disabled

http-proxy no-proxy

exit

time-zone-settings

offset 0

standard-time-zone-name CST

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

signatures 2000 0

alert-severity high

engine atomic-ip

event-action produce-alert|produce-verbose-alert

exit

alert-frequency

summary-mode fire-all

summary-key AxBx

exit

status

enabled true

exit

signatures 2004 0

alert-severity high

engine atomic-ip

event-action produce-alert|produce-verbose-alert

exit

alert-frequency

summary-mode fire-all

summary-key AxBx

exit

status

enabled true

exit

signatures 60000 0

alert-severity high

sig-fidelity-rating 75

sig-description

sig-name Telnet Command Authorization Failure

sig-string-info Command authorization failed

sig-comment signature triggers string command authorization failed

exit

engine atomic-ip

specify-l4-protocol yes

l4-protocol tcp

no tcp-flags

no tcp-mask

exit

specify-payload-inspection yes

regex-string Command authorization failed

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

enable-tls true

port 443

server-id Nothing to see here. Move along.

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/1

exit

AIP-SSM#

Could anyone help me?

Thanks in advanced.

Favaloro. · ‎06-04-2013

Can you ping the IPS's IP from the ASA?

Do the ACLs on the sensor allow the ASA's network?

Is the module in an "UP" state?

hosytan · ‎06-04-2013

This's my setting:

access-list 192.168.1.0/24

I access ASA from 192.168.1.1 but I cannot ping the IPS's IP from ASA:

ASA-FW# ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA-FW# ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

This's IPS state:

ASA-FW# show module

Mod Card Type Model Serial No.

--- -------------------------------------------- ------------------ -----------

0 ASA 5520 Adaptive Security Appliance ASA5520 JMX1645X028

1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 JAD164401AY

Mod MAC Address Range Hw Version Fw Version Sw Version

--- --------------------------------- ------------ ------------ ---------------

0 d48c.b5c9.7381 to d48c.b5c9.7385 2.0 1.0(11)5 8.4(4)1

1 30f7.0d3c.5faa to 30f7.0d3c.5faa 1.0 1.0(11)5 7.0(2)E4

Mod SSM Application Name Status SSM Application Version

--- ------------------------------ ---------------- --------------------------

1 IPS Up 7.0(2)E4

Mod Status Data Plane Status Compatibility

--- ------------------ --------------------- -------------

0 Up Sys Not Applicable

1 Up Up

ASA-FW#

and...

ASA-FW# show module 1 detail

Getting details from the Service Module, please wait...

ASA 5500 Series Security Services Module-10

Model: ASA-SSM-10

Hardware version: 1.0

Serial Number: JAD164401AY

Firmware version: 1.0(11)5

Software version: 7.0(2)E4

MAC Address Range: 30f7.0d3c.5faa to 30f7.0d3c.5faa

App. name: IPS

App. Status: Up

App. Status Desc:

App. version: 7.0(2)E4

Data plane Status: Up

Status: Up

Mgmt IP addr: 192.168.1.2

Mgmt Network mask: 255.255.255.0

Mgmt Gateway: 192.168.1.1

Mgmt Access List: 10.0.0.0/8

Mgmt Access List: 10.1.1.0/24

Mgmt Access List: 10.2.2.0/24

Mgmt Access List: 10.3.3.0/24

Mgmt Access List: 172.16.0.0/16

Mgmt Access List: 192.168.1.0/24

Mgmt Access List: 192.168.1.1/32

Mgmt web ports: 443

Mgmt TLS enabled: true

ASA-FW#

Can you show me how to set ACL on IPS or solution for this?

Favaloro. · ‎06-04-2013

The problem is with the communication between the units.

Can you ping the ASA from the module?

Can you check the device that connects them and make sure it's properly configured?

hosytan · ‎06-04-2013

Thank you for your quick reply.

I cannot ping ASA from IPS.

I check the module, unplag and re plag, the LED lights are OK.

Can you tell me something to do next?

I follow this intrussion: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

Favaloro. · ‎06-04-2013

Can you confirm that the two devices, the module and the asa [inside interface] are connected to the same switch, assuming it's a switch, and confirm that they are both on the same vlan?

hosytan · ‎06-04-2013

This's exactly my problem. I didn't connect to both ASA and SSM management ports, but connected to one of them only.

Thank you for your advice.