Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
Managing SSCs and SSMs
Downloads: This chapterpdf (PDF - 132.0KB) The complete bookPDF (PDF - 22.37MB) | Feedback

Managing Services Modules

Table Of Contents

Managing Services Modules

Information About Modules

Supported Applications

Information About Management Access

Sessioning to the Module

Using ASDM

Using SSH or Telnet

Other Uses for the Module Management Interface

Routing Considerations for Accessing the Management Interface

Guidelines and Limitations

Default Settings

Configuring the SSC Management Interface

Password Troubleshooting

Where to Go Next

Feature History for Modules


Managing Services Modules


This chapter describes how to manage a the following module types:

Security Services Cards (SSCs)

Security Services Modules (SSMs)

Security Services Processors (SSPs)

Modules run advanced security applications, such as IPS and Content Security and Control. See the Cisco ASA 5500 Series Hardware and Software Compatibility for a listof supported modules and ASA models:

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html


Note For information about the 4GE SSM, which is an interface module and does not run intelligent software, see Chapter 8 "Configuring Interfaces."

The core SSP for the ASA 5585-X runs ASA software, and is not covered in this chapter.


This chapter includes the following sections:

Information About Modules

Guidelines and Limitations

Default Settings

Configuring the SSC Management Interface

Where to Go Next

Feature History for Modules

Information About Modules

This section includes the following topics:

Supported Applications

Information About Management Access

Supported Applications

The following applications are supported on the SSM:

IPS software (on the AIP SSM)

Content Security and Control software (on the CSC SSM)

The following applications are supported on the SSC:

IPS software (on the AIP SSC)

The following applications are supported on the SSP:

IPS software (on the IPS SSP)


Note You cannot change the software type installed on the module; if you purchase an AIP SSM, you cannot later install CSC software on it.


Information About Management Access

You can manage the module application using ASDM or by using the module application CLI. This section includes the following topics:

Sessioning to the Module

Using ASDM

Using SSH or Telnet

Other Uses for the Module Management Interface

Routing Considerations for Accessing the Management Interface

Sessioning to the Module

If you have CLI access to the adaptive security appliance, then you can session to the module over the backplane and access the module CLI.

Using ASDM

After you launch ASDM on the adaptive security appliance, ASDM connects to the module management interface to configure the module application.

On the SSM—ASDM connects to an external Gigabit Ethernet port. If you cannot use the default address, you can change the interface IP address and other network parameters by sessioning to the module and setting the parameters at the module CLI. See the documentation for the module application for more information.

On the SSC—You can configure a VLAN as a management VLAN to allow access to an internal management IP address over the backplane. To change the network parameters, see the "Configuring the SSC Management Interface" section.

See the "Default Settings" section for information about the default management interface parameters.

Using SSH or Telnet

You can access the module CLI directly using SSH or Telnet to the module management interface. (Telnet access requires additional configuration in the module application). See the "Using ASDM" section for more information about the management interface.

Other Uses for the Module Management Interface

The module management interface can be used for sending syslog messages or allowing updates for the module application, such as signature database updates on the IPS module.

Routing Considerations for Accessing the Management Interface

To make sure ASDM can manage the module, be sure that the adaptive security appliance can access the module management interface address.

For the SSC—Be sure to configure an IP address for the adaptive security appliance VLAN that you are also using for the SSC management interface, and assign that VLAN to a switch port so the SSC interface is physically connected to the network. The SSC management interface will then be on a directly-connected network for the adaptive security appliance, so ASDM can access the management interface without any additional routing configuration.

For the SSM—The external management interface is not considered to be an adaptive security appliance interface, so it is not automatically on a directly-connected network. Depending on how you cable your network, the SSM external interface can be on the same network as an adaptive security appliance interface (through a switch), or you can put it on a different network (through a router).

Guidelines and Limitations

Context Mode Guidelines

See the chapter for each module application for context mode guidelines.

Firewall Mode Guidelines

See the chapter for each module application for firewall mode guidelines.

Failover Guidelines

For the SSC, make sure you configure the management IP addresses on both units to be on the same subnet and VLAN.

Model Guidelines

For model support for each module, see the "Module Support" section.

Additional Guidelines

You cannot change the software type installed on the module; if you purchase an AIP SSM, you cannot later install CSC software on it.

You cannot set up the SSC in ASDM if you use an IP address that goes through NAT.

Default Settings

Table 54-1 lists the default network settings for modules.

Table 54-1 Default Network Parameters 

Parameters
Default

Management VLAN (SSC only)

VLAN 1

Management IP address

192.168.1.2/24

Management hosts (SSC only)

192.168.1.0/24

Gateway

192.168.1.1



Note The default management IP address on the adaptive security appliance is 192.168.1.1/24.


Configuring the SSC Management Interface

An SSC does not have any external interfaces. You can configure a VLAN as a management VLAN to allow access to an internal management IP address over the backplane. By default, VLAN 1 is enabled for the SSC management address. You can only assign one VLAN as the SSC management VLAN. This section describes how to change the management VLAN. It also describes how to change the default management IP address, allowed hosts, and gateway. See the "Default Settings" section for more information about defaults.

Prerequisites

For the VLAN you want to use for the SSC management interface, configure the switch port and VLAN interface on the ASA 5505 according to the procedures listed in Chapter 8 "Configuring Interfaces." This configuration is required so the SSC interface is physically connected to the network.

Restrictions

Do not configure NAT for the management address if you intend to access it using ASDM. For initial setup with ASDM, you need to access the real address. After initial setup (where you set the password in the SSC), you can configure NAT and supply ASDM with the translated address when you want to access the SSC.

Detailed Steps


Step 1 If you are configuring the SSC for the first time, in the ASDM main window, choose Configuration > Device Setup > SSC Setup.


Note If you click the IPS tab before you have configured the SSC, the Stop dialog box appears. Click OK to have ASDM redirect you to the SSC Setup pane. You must define the settings in the SSC Setup pane before you can access any part of the GUI.


Step 2 In the Management Interface area, do the following:

a. Choose the Interface VLAN from the drop-down list.

This setting allows you to manage the SSC using this VLAN.


Note The following settings are written to the SSC application configuration, not the adaptive security appliance configuration.


b. Enter the IP address.

c. Choose the subnet mask from the drop-down list.

d. Enter the default gateway IP address.

If the management station is on a directly-connected adaptive security appliance network, then set the gateway to be the ASA 5505 VLAN interface address. If the management station is on a remote network, then set the gateway to the address of an upstream router on the management VLAN.

Step 3 In the Management Access List area, do the following.


Note The following settings are written to the SSC application configuration, not the adaptive security appliance configuration.


a. Enter the IP address for the host network.

b. Choose the subnet mask from the drop-down list.

c. Click Add to add these settings to the Allowed Hosts/Networks list.


Note After you click Add, make sure you save the management settings you have just defined by clicking Apply. If you decide to remove these settings, continue to the next substep. Otherwise, go to Step 4.


d. To delete these settings, in the ASDM main window, click the IPS tab. Choose Configuration > IPS > Sensor Setup > Allowed Hosts/Networks. Choose the host or network that you want to remove from the list, and click Delete. To add new management settings, you can either click Add in the existing pane or return to the SSC Setup pane by choosing Configuration > Device Setup > SSC Setup.

Step 4 In the IPS Password area, do the following:


Note The following settings are written to the SSC application configuration, not the adaptive security appliance configuration.


a. Enter the password. The default password is "cisco."

b. Enter the new password, and confirm the change.

Step 5 Click Apply to save the settings to the running configuration.

The SSC Setup completed dialog box appears only after the initial configuration.

Step 6 To complete the SSC application configuration and have ASDM go directly to the Configuration > IPS > Sensor Setup > Startup Wizard screen, do one of the following:

Click the IPS button in the navigation pane.

Click the Configure the IPS SSC module link.


Note If you want to change the SSC configuration settings at a later date, click the IPS tab.



Password Troubleshooting

You can reset the module password to the default; for IPS, password reset is supported if the module is running IPS Version 6.0 or later. The default password is "cisco" (without the quotation marks). After resetting the password, you should change it to a unique value using the module application.

Resetting the module password causes the module to reboot. Services are not available while the module is rebooting.

After you log in and define a new password, you do not need to log in to the software again. If you cannot connect to the software with the new password, restart ASDM and try to log in again.

If you defined a new password and still have an existing password that is different from the new password, clear the password cache by choosing File > Clear ASDM Password Cache, then restart ASDM and try to log in again.

Detailed Steps


Step 1 From the ASDM menu bar, choose Tools > IPS Password Reset or Tools > CSC Password Reset.

The IPS/CSC Password Reset confirmation dialog box appears.

Step 2 Click OK to reset the password to the default.

A dialog box displays the success or failure of the password reset.For IPS, if the password was not reset, make sure you are using IPS Version 6.0 or later on the module.

Step 3 Click Close to close the dialog box.


Where to Go Next

To configure the IPS module, see Chapter 55 "Configuring the IPS Module."

To configure the CSC module, see Chapter 56 "Configuring the Content Security and Control Application on the CSC SSM."

Feature History for Modules

Table 54-2 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.

Table 54-2 Feature History for the SSM and SSC 

Feature Name
Platform Releases
Feature Information

SSM support for the ASA 5510, 5520, and 5540

ASA 7.0(1)

We introduced SSMs.

 

Password reset

ASA 7.2(2)

The Tools > IPS/CSC Password Reset screen was introduced.

SSC support for the ASA 5505

ASA 8.2(1)

We introduced SSCs for the ASA 5505.

The Configuration > Device Setup > SSC Setup screen was introduced.

Support for the IPS SSP-10, -20, -40, and -60 for the ASA 5585-X

8.2(4.4)

We introduced support for the IPS SSP-10, -20, -40, and -60 for the ASA 5585-X. You can only install the IPS SSP with a matching-level SSP; for example, SSP-10 and IPS SSP-10.

Note The ASA 5585-X is not supported in Version 8.3.