Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How can I have traffic to be inspected by SSM-10

Posted on 2015-02-15
3
Medium Priority
?
128 Views
Last Modified: 2015-03-10
Hi,
I have site-to-site vpn in my network (ASA5510), and I need the traffic to be inspected by ssm-10 module which is already installed, as the traffic  make its way to the host 192.168.1.1.
What is the correct virtual sensor configuration e.g, interface and vlan, vlan only or virtual sensor. And what is the correct ACL is the service policy rule.
0
Comment
Question by:Fuad Bazarah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 65

Expert Comment

by:btan
ID: 40613301
Quick summary ref http://www.cisco.com/c/en/us/td/docs/security/ips/6-0/configuration/guide/cli/cliguide/cliSSM.html
1. Create or use an existing ACL.
2. Use the class-map command to define the IPS traffic class.
3. Use the policy-map command to create an IPS policy map by associating the traffic class with one or more actions.
4. Use the service-policy command to create an IPS security policy by associating the policy map with one or more interfaces.

But before the above, it is good to also verify the AIP SSM Initialization, start to try on create Virtual Sensors and sending Traffic to the AIP SSM for a test. You can also see this example (though not in VPN) from this article may be of help to configure the ASA and the AIP SSM (IPS) http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71204-traffic-asa-aip-ssm.html
0
 

Author Comment

by:Fuad Bazarah
ID: 40613693
HI ,
I still don't see any packets processed by the IPS, I configured the tracking mode as Virtual sensor.
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40613786
AIP SSM comes before VPN policy is applied. http://www.cisco.com/c/en/us/td/docs/security/asdm/6_1/user/guide/usergd/ips.html#wp1535290

But to be more specific to make sure SSM is configured in accordance as below
Follow this sequence to create virtual sensors on the AIP SSM and to assign them to adaptive security device contexts:
1. If you have Cisco Adaptive Security Appliance Software 7.2.3 or later, configure up to four virtual sensors on the AIP SSM.
2. Assign the AIP SSM interface, GigabitEthernet0/1, to one of the virtual sensors.
3. Assign virtual sensors to different contexts on the adaptive security device.
4. Use MPF to direct traffic to the targeted virtual sensor.
http://www.cisco.com/c/en/us/td/docs/security/ips/6-0/configuration/guide/cli/cliguide/cliSSM.html#wp1039124

See these options on how to verify traffic is running through AIP SSM
Execute "show conf" on your AIP SSM CLI.  Verify that the GigabitEthernet0/1 backplane interface of the SSM has been assigned to virtual sensor vs0.

If it has not, then run "setup" and near the end of the setup wizard there will be an option to edit the interface and virtual sensor configuration.  Use this option to modify the configuration for virtual sensor vs0 and in the interface.

You can also run "show stat virtual-sensor vs0" to see the counts of packets being analyzed by vs0.
In addition to what marco suggested also use the following command to see packet sent and received to the MODULE

show service-policy
run a test using traffic gen. simulators like Nmap or nesus

Alternatively you may either enable icmp signature 2051/2 and ping through the module, you will see alert generating for this thus confirming IPS functionality
http://www.learnios.com/viewtopic.php?f=7&t=24275
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question