Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA IPS (SSM)

Status
Not open for further replies.

CameronG

IS-IT--Management
Feb 20, 2006
8
US
Hi all, we are finally getting around to replacing our old pair of PIX 525s with the new ASA 5520s. The firewall side of the house I have down, but we decided to go ahead and purchase the SSM module as well to provide some basic IPS services, which we didn't have before. I've found some documentation to get me started on the IPS configuration that I think should carry me through here:
What I'm really not clear on; however, is that this SSM module has a gigabit (or maybe FE) ethernet port on it. I'm not sure what this port is intended for and so I don't know what network segment to put it on. Is it just for management? Is it used to actually direct traffic to it for IPS inspection? I haven't been able to find out anything about it at all. Ultimately I'd like to create 3 sensors to watch traffic hitting our LAN, DMZ, and Outside interfaces.

Can someone tell me what the deal with that ethernet interface is and where it should logically exist on my network?

Thanks ahead of time.
 
The interface on the AIP-SSM is just for management.

Traffic is sent to the AIP-SSM via the ASA backplane. That is the only sniffing interface. Depending on how you configure the ASA to send traffic to the AIP-SSM you can use it in in-line or promiscuous mode.

This doc describes sending traffic from the ASA:

I'm pretty sure with a combo of the latest ASA 8.x and IPS 6.x you can do multiple virtual sensors now, like you describe. Also with that latest combination I think you can manage the AIP-SSM within the ASA's ASDM - meaning that you don't even need that management interface if you don't want to use it.

I regret that I haven't worked with any of it in a while, though, so things may have changed from the roadmap I saw. :-(

Matt
 
That's great. Thanks for the information. In any case I just wanted to make sure that interface wasn't needed for the actual detection part of its operations. As long as that isn't the case then the way I've setup the firewall services doesn't have to change.

Thanks a ton!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top