Solved

How can I have traffic to be inspected by SSM-10

Posted on 2015-02-15
3
71 Views
Last Modified: 2015-03-10
Hi,
I have site-to-site vpn in my network (ASA5510), and I need the traffic to be inspected by ssm-10 module which is already installed, as the traffic  make its way to the host 192.168.1.1.
What is the correct virtual sensor configuration e.g, interface and vlan, vlan only or virtual sensor. And what is the correct ACL is the service policy rule.
0
Comment
Question by:Fuad Bazarah
  • 2
3 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40613301
Quick summary ref http://www.cisco.com/c/en/us/td/docs/security/ips/6-0/configuration/guide/cli/cliguide/cliSSM.html
1. Create or use an existing ACL.
2. Use the class-map command to define the IPS traffic class.
3. Use the policy-map command to create an IPS policy map by associating the traffic class with one or more actions.
4. Use the service-policy command to create an IPS security policy by associating the policy map with one or more interfaces.

But before the above, it is good to also verify the AIP SSM Initialization, start to try on create Virtual Sensors and sending Traffic to the AIP SSM for a test. You can also see this example (though not in VPN) from this article may be of help to configure the ASA and the AIP SSM (IPS) http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71204-traffic-asa-aip-ssm.html
0
 

Author Comment

by:Fuad Bazarah
ID: 40613693
HI ,
I still don't see any packets processed by the IPS, I configured the tracking mode as Virtual sensor.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40613786
AIP SSM comes before VPN policy is applied. http://www.cisco.com/c/en/us/td/docs/security/asdm/6_1/user/guide/usergd/ips.html#wp1535290

But to be more specific to make sure SSM is configured in accordance as below
Follow this sequence to create virtual sensors on the AIP SSM and to assign them to adaptive security device contexts:
1. If you have Cisco Adaptive Security Appliance Software 7.2.3 or later, configure up to four virtual sensors on the AIP SSM.
2. Assign the AIP SSM interface, GigabitEthernet0/1, to one of the virtual sensors.
3. Assign virtual sensors to different contexts on the adaptive security device.
4. Use MPF to direct traffic to the targeted virtual sensor.
http://www.cisco.com/c/en/us/td/docs/security/ips/6-0/configuration/guide/cli/cliguide/cliSSM.html#wp1039124

See these options on how to verify traffic is running through AIP SSM
Execute "show conf" on your AIP SSM CLI.  Verify that the GigabitEthernet0/1 backplane interface of the SSM has been assigned to virtual sensor vs0.

If it has not, then run "setup" and near the end of the setup wizard there will be an option to edit the interface and virtual sensor configuration.  Use this option to modify the configuration for virtual sensor vs0 and in the interface.

You can also run "show stat virtual-sensor vs0" to see the counts of packets being analyzed by vs0.
In addition to what marco suggested also use the following command to see packet sent and received to the MODULE

show service-policy
run a test using traffic gen. simulators like Nmap or nesus

Alternatively you may either enable icmp signature 2051/2 and ping through the module, you will see alert generating for this thus confirming IPS functionality
http://www.learnios.com/viewtopic.php?f=7&t=24275
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now