Solved

How can I have traffic to be inspected by SSM-10

Posted on 2015-02-15
3
93 Views
Last Modified: 2015-03-10
Hi,
I have site-to-site vpn in my network (ASA5510), and I need the traffic to be inspected by ssm-10 module which is already installed, as the traffic  make its way to the host 192.168.1.1.
What is the correct virtual sensor configuration e.g, interface and vlan, vlan only or virtual sensor. And what is the correct ACL is the service policy rule.
0
Comment
Question by:Fuad Bazarah
  • 2
3 Comments
 
LVL 63

Expert Comment

by:btan
ID: 40613301
Quick summary ref http://www.cisco.com/c/en/us/td/docs/security/ips/6-0/configuration/guide/cli/cliguide/cliSSM.html
1. Create or use an existing ACL.
2. Use the class-map command to define the IPS traffic class.
3. Use the policy-map command to create an IPS policy map by associating the traffic class with one or more actions.
4. Use the service-policy command to create an IPS security policy by associating the policy map with one or more interfaces.

But before the above, it is good to also verify the AIP SSM Initialization, start to try on create Virtual Sensors and sending Traffic to the AIP SSM for a test. You can also see this example (though not in VPN) from this article may be of help to configure the ASA and the AIP SSM (IPS) http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71204-traffic-asa-aip-ssm.html
0
 

Author Comment

by:Fuad Bazarah
ID: 40613693
HI ,
I still don't see any packets processed by the IPS, I configured the tracking mode as Virtual sensor.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40613786
AIP SSM comes before VPN policy is applied. http://www.cisco.com/c/en/us/td/docs/security/asdm/6_1/user/guide/usergd/ips.html#wp1535290

But to be more specific to make sure SSM is configured in accordance as below
Follow this sequence to create virtual sensors on the AIP SSM and to assign them to adaptive security device contexts:
1. If you have Cisco Adaptive Security Appliance Software 7.2.3 or later, configure up to four virtual sensors on the AIP SSM.
2. Assign the AIP SSM interface, GigabitEthernet0/1, to one of the virtual sensors.
3. Assign virtual sensors to different contexts on the adaptive security device.
4. Use MPF to direct traffic to the targeted virtual sensor.
http://www.cisco.com/c/en/us/td/docs/security/ips/6-0/configuration/guide/cli/cliguide/cliSSM.html#wp1039124

See these options on how to verify traffic is running through AIP SSM
Execute "show conf" on your AIP SSM CLI.  Verify that the GigabitEthernet0/1 backplane interface of the SSM has been assigned to virtual sensor vs0.

If it has not, then run "setup" and near the end of the setup wizard there will be an option to edit the interface and virtual sensor configuration.  Use this option to modify the configuration for virtual sensor vs0 and in the interface.

You can also run "show stat virtual-sensor vs0" to see the counts of packets being analyzed by vs0.
In addition to what marco suggested also use the following command to see packet sent and received to the MODULE

show service-policy
run a test using traffic gen. simulators like Nmap or nesus

Alternatively you may either enable icmp signature 2051/2 and ping through the module, you will see alert generating for this thus confirming IPS functionality
http://www.learnios.com/viewtopic.php?f=7&t=24275
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question