Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 137
  • Last Modified:

How can I have traffic to be inspected by SSM-10

Hi,
I have site-to-site vpn in my network (ASA5510), and I need the traffic to be inspected by ssm-10 module which is already installed, as the traffic  make its way to the host 192.168.1.1.
What is the correct virtual sensor configuration e.g, interface and vlan, vlan only or virtual sensor. And what is the correct ACL is the service policy rule.
0
Fuad Bazarah
Asked:
Fuad Bazarah
  • 2
1 Solution
 
btanExec ConsultantCommented:
Quick summary ref http://www.cisco.com/c/en/us/td/docs/security/ips/6-0/configuration/guide/cli/cliguide/cliSSM.html
1. Create or use an existing ACL.
2. Use the class-map command to define the IPS traffic class.
3. Use the policy-map command to create an IPS policy map by associating the traffic class with one or more actions.
4. Use the service-policy command to create an IPS security policy by associating the policy map with one or more interfaces.

But before the above, it is good to also verify the AIP SSM Initialization, start to try on create Virtual Sensors and sending Traffic to the AIP SSM for a test. You can also see this example (though not in VPN) from this article may be of help to configure the ASA and the AIP SSM (IPS) http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71204-traffic-asa-aip-ssm.html
0
 
Fuad BazarahAuthor Commented:
HI ,
I still don't see any packets processed by the IPS, I configured the tracking mode as Virtual sensor.
0
 
btanExec ConsultantCommented:
AIP SSM comes before VPN policy is applied. http://www.cisco.com/c/en/us/td/docs/security/asdm/6_1/user/guide/usergd/ips.html#wp1535290

But to be more specific to make sure SSM is configured in accordance as below
Follow this sequence to create virtual sensors on the AIP SSM and to assign them to adaptive security device contexts:
1. If you have Cisco Adaptive Security Appliance Software 7.2.3 or later, configure up to four virtual sensors on the AIP SSM.
2. Assign the AIP SSM interface, GigabitEthernet0/1, to one of the virtual sensors.
3. Assign virtual sensors to different contexts on the adaptive security device.
4. Use MPF to direct traffic to the targeted virtual sensor.
http://www.cisco.com/c/en/us/td/docs/security/ips/6-0/configuration/guide/cli/cliguide/cliSSM.html#wp1039124

See these options on how to verify traffic is running through AIP SSM
Execute "show conf" on your AIP SSM CLI.  Verify that the GigabitEthernet0/1 backplane interface of the SSM has been assigned to virtual sensor vs0.

If it has not, then run "setup" and near the end of the setup wizard there will be an option to edit the interface and virtual sensor configuration.  Use this option to modify the configuration for virtual sensor vs0 and in the interface.

You can also run "show stat virtual-sensor vs0" to see the counts of packets being analyzed by vs0.
In addition to what marco suggested also use the following command to see packet sent and received to the MODULE

show service-policy
run a test using traffic gen. simulators like Nmap or nesus

Alternatively you may either enable icmp signature 2051/2 and ping through the module, you will see alert generating for this thus confirming IPS functionality
http://www.learnios.com/viewtopic.php?f=7&t=24275
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now