Question

Use ASDM to manage IPS SSM-10 on ASA5510

Asked by: dstj

Hi experts, I'm very new to ASA5510 configuration (I use ASDM GUI mainly) Here's my problem as clearly as I can explain it::

I can access ASDM for the firewall management via VPN, but I cannot access the IPS tab to manage the SSM-10 module. I always get a message stating :"Error connecting to sensor. Error Loading Sensor".

If I SSH to the ASA, I can do "asa# session 1" to access the SSM, so I know it's there and up.

What I am trying to achieve ultimately is this : administrate the whole ASA via a VPN connection coming from the WAN.

The only way I managed to get access to the IPS tab was by having the ASA's management port, the SSM's management port and my PC all connected on the same switch. This won't work in my production environment since it's off-site.

So what I need to know is:
1- How should the network cables be physically connected once in production? Is there a way to manage the IPS with ASDM using the internal backplane or do I absolutely need to have the IPS's management port connected to some other ASA's port via a router. If so, which port (management or another)? My VPN connection will come from the WAN.

2- What IP address should the IPS use if my VPN address pool is 172.16.1.100-199 ?

3- What should be my Management Access Interface? Right now it's the "management" port.

4- Any specific firewall rules need to access the IPS?

Hope you can help me. If you need more details, just let me know.

dstj.
-----------------------
Here is my ASA port configuration :

interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/1
 nameif dmz
 security-level 50
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/3
 nameif corpo
 security-level 75
 ip address 192.168.30.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!

Here is the IPS current configuration (got via SSH):

service host
network-settings
host-ip 192.168.1.2/24,192.168.1.1
host-name sensor
telnet-option disabled
access-list 172.16.1.0/24
access-list 192.168.1.0/24
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
exit
...
service web-server
port 443
exit

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-19 at 07:40:34ID24823708
Tags

Cisco ASA5510

,

ASDM

,

SSM-10

,

IPS

Topics

Cisco PIX Firewall

,

Networking Hardware Firewalls

,

Intrusion Detection Systems (IDS)

Participating Experts
1
Points
0
Comments
5

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. 2620XM and ASA5510 Routing
    I'm having issues with the routing between these two devices. The 5510 just replaced a 515. With the current configs, I placed the ASA in service and no routing took place. I did power cycle the router to clear the table. The router is currently in place and working. The...
  2. Cisco ASA5510 - no DNS for VPN clients
    I've setup a Cisco ASA5510 and VPN users are connecting properly, but they are not getting a DNS server entry. We are using the Cisco VPN client from windows machines. When connected to the VPN, users cannot resolve names and when viewing "ipconfig /all", there ...
  3. ASA5510 asdm512
    Dear experts, I am not able to access the ASA5510 asdm .. actually i update IOS from 7.0 to 7.2 since that i am not able to access asdm .. later i updated asdm506 to asdm512..need help kindly check the follwing bellow cong. ciscoasa# sh run : Saved : ASA Version 7.2(1) ! ho...
  4. How do I setup VPN client connection on asa5510 corre…
    Hello, I have a cisco asa5510 that I need to configure for vpn access by cisco clients right now; and in the future l2tp connections for pcs without the client software. I have tried to set it up in the ASDM and also CLI with no luck. I have tried the examples provided b...
  5. Wrong ASDM software installed
    So, i can't get into the ASDM anymore. I get an error message saying that the ASDM software is not compatible with the ASA software. now i can't get into the ASA5510 via asdm. how can i fix this?
  6. Traffic Routing Problems with ASA5510 and VPN Conne…
    I have an ASA5510 and I have successfully configured it to accept VPN connections on the "outside" interface. I can VPN in to the ASA and connect with no problem. I can even access all of my internal network items. My only problem it seems, is that I can't get ac...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: rsivanandanPosted on 2009-10-19 at 21:13:29ID: 25611023

 

by: dstjPosted on 2009-10-20 at 07:43:33ID: 25614673

Hi, thanks for the reply.

I issued a "reboot' on IPS over SSH, but the problem remained.

I dug around a little and issued the following commands via SSH :
asa# configure terminal
asa (config)# interface management 0/0
asa (config-if)# no management-only

Now when the ASA's management port and the IPS' management port are both plug in a switch, I have access to the IPS tab. But, my first question remains: do I absolutely need to connect the two management interfaces via a switch? This seems like a waste of a good switch. Can't I do it over the internal backplane?

If not, I'll try a cross-over cable to see if that works...

dstj.

 

by: rsivanandanPosted on 2009-10-20 at 08:00:11ID: 25614848

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/ssc_setup.html

Can you check the above to see if you have the prerequisite done?

I agree, wasting a port is not required.

Cheers,
rsivanandan

 

by: dstjPosted on 2009-10-20 at 08:07:48ID: 25614948

Update:
The cross-over cable worked. So I'll go with that.

 

by: dstjPosted on 2009-10-20 at 08:18:59ID: 25615070

(I had not seen your reply prior to my last update.)

Thanks, but I had already seen and read that link, the following parts were confusing to me (emphasis mine):

Routing Considerations for Accessing the Management Interface  
To make sure ASDM can manage the SSC, be sure that the security appliance can access the module management interface address.  

Be sure to configure an IP address for the security appliance VLAN that you are also using for the SSC management interface, and assign that VLAN to a switch port so that the SSC interface is physically connected to the network. The SSC management interface will then be on a directly-connected network for the security appliance, so ASDM can access the management interface without any additional routing configuration.

Also, the following option is not available on my ASDM (see attached image)
If you are configuring the SSC for the first time, in the ASDM main window, choose Configuration > Device Setup > SSC Setup.

I don't know why it's not there, but it's not...

For the sake of completeness, my software versions are:
ASDM 6.2(1)
ASA Version 8.2(1)

Thanks for your assistance, but I think I got the issue resolved...

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...