Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA IPS (SSM)

Status
Not open for further replies.
CameronG

CameronG

IS-IT--Management
Feb 20, 2006
8
US
Hi all, we are finally getting around to replacing our old pair of PIX 525s with the new ASA 5520s. The firewall side of the house I have down, but we decided to go ahead and purchase the SSM module as well to provide some basic IPS services, which we didn't have before. I've found some documentation to get me started on the IPS configuration that I think should carry me through here:
What I'm really not clear on; however, is that this SSM module has a gigabit (or maybe FE) ethernet port on it. I'm not sure what this port is intended for and so I don't know what network segment to put it on. Is it just for management? Is it used to actually direct traffic to it for IPS inspection? I haven't been able to find out anything about it at all. Ultimately I'd like to create 3 sensors to watch traffic hitting our LAN, DMZ, and Outside interfaces.

Can someone tell me what the deal with that ethernet interface is and where it should logically exist on my network?

Thanks ahead of time.
 
Sort by date Sort by votes
The interface on the AIP-SSM is just for management.

Traffic is sent to the AIP-SSM via the ASA backplane. That is the only sniffing interface. Depending on how you configure the ASA to send traffic to the AIP-SSM you can use it in in-line or promiscuous mode.

This doc describes sending traffic from the ASA:

I'm pretty sure with a combo of the latest ASA 8.x and IPS 6.x you can do multiple virtual sensors now, like you describe. Also with that latest combination I think you can manage the AIP-SSM within the ASA's ASDM - meaning that you don't even need that management interface if you don't want to use it.

I regret that I haven't worked with any of it in a while, though, so things may have changed from the roadmap I saw. :-(

Matt
 
Upvote 0 Downvote
That's great. Thanks for the information. In any case I just wanted to make sure that interface wasn't needed for the actual detection part of its operations. As long as that isn't the case then the way I've setup the firewall services doesn't have to change.

Thanks a ton!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
299
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
329
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
204
AllenH12
AllenH12
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
88
WhosYourDiffie
WhosYourDiffie
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
90
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top