Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3
Managing Service Modules
Downloads: This chapterpdf (PDF - 185.0KB) The complete bookPDF (PDF - 20.75MB) | Feedback

Managing Services Modules

Table Of Contents

Managing Services Modules

Information About Modules

Supported Applications

Information About Management Access

Sessioning to the Module

Using ASDM

Using SSH or Telnet

Other Uses for the Module Management Interface

Routing Considerations for Accessing the Management Interface

Guidelines and Limitations

Default Settings

Configuring the SSC Management Interface

Sessioning to the Module

Troubleshooting the Module

Management IP Address Troubleshooting

TFTP Troubleshooting

Installing an Image on the Module

Password Troubleshooting

Reloading or Resetting the Module

Shutting Down the Module

Monitoring Modules

Where to Go Next

Feature History for Modules


Managing Services Modules


This chapter describes how to manage a the following module types:

Security Services Cards (SSCs)

Security Services Modules (SSMs)

Modules run advanced security applications, such as IPS and Content Security and Control. See the Cisco ASA 5500 Series Hardware and Software Compatibility for a listof supported modules and ASA models:

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html


Note For information about the 4GE SSM, which is an interface module and does not run intelligent software, see Chapter 6 "Configuring Interfaces."


This chapter includes the following sections:

Information About Modules

Guidelines and Limitations

Default Settings

Configuring the SSC Management Interface

Sessioning to the Module

Troubleshooting the Module

Monitoring Modules

Reloading or Resetting the Module

Feature History for Modules

Information About Modules

This section includes the following topics:

Supported Applications

Information About Management Access

Supported Applications

The following applications are supported on the SSM:

IPS software (on the AIP SSM)

Content Security and Control software (on the CSC SSM)

The following applications are supported on the SSC:

IPS software (on the AIP SSC)


Note You cannot change the software type installed on the module; if you purchase an AIP SSM, you cannot later install CSC software on it.


Information About Management Access

You can manage the module application using ASDM or by using the module application CLI. This section includes the following topics:

Sessioning to the Module

Using ASDM

Using SSH or Telnet

Other Uses for the Module Management Interface

Routing Considerations for Accessing the Management Interface

Sessioning to the Module

If you have CLI access to the adaptive security appliance, then you can session to the module over the backplane and access the module CLI. See the "Sessioning to the Module" section.

Using ASDM

After you launch ASDM on the adaptive security appliance, ASDM connects to the module management interface to configure the module application.

On the SSM—ASDM connects to an external Gigabit Ethernet port. If you cannot use the default address, you can change the interface IP address and other network parameters by sessioning to the module and setting the parameters at the module CLI. See the documentation for the module application for more information.

On the SSC—You can configure a VLAN as a management VLAN to allow access to an internal management IP address over the backplane. To change the network parameters, see the "Configuring the SSC Management Interface" section.

See the "Default Settings" section for information about the default management interface parameters.

Using SSH or Telnet

You can access the module CLI directly using SSH or Telnet to the module management interface. (Telnet access requires additional configuration in the module application). See the "Using ASDM" section for more information about the management interface.

Other Uses for the Module Management Interface

The module management interface can be used for sending syslog messages or allowing updates for the module application, such as signature database updates on the IPS module.

Routing Considerations for Accessing the Management Interface

To make sure ASDM can manage the module, be sure that the adaptive security appliance can access the module management interface address.

For the SSC—Be sure to configure an IP address for the adaptive security appliance VLAN that you are also using for the SSC management interface, and assign that VLAN to a switch port so the SSC interface is physically connected to the network. The SSC management interface will then be on a directly-connected network for the adaptive security appliance, so ASDM can access the management interface without any additional routing configuration.

For the SSM—The external management interface is not considered to be an adaptive security appliance interface, so it is not automatically on a directly-connected network. Depending on how you cable your network, the SSM external interface can be on the same network as an adaptive security appliance interface (through a switch), or you can put it on a different network (through a router).

Guidelines and Limitations

Context Mode Guidelines

See the chapter for each module application for context mode guidelines.

Firewall Mode Guidelines

See the chapter for each module application for firewall mode guidelines.

Failover Guidelines

For the SSC, make sure you configure the management IP addresses on both units to be on the same subnet and VLAN.

Model Guidelines

For model support for each module, see the "Module Support" section.

Additional Guidelines

You cannot change the software type installed on the module; if you purchase an AIP SSM, you cannot later install CSC software on it.

You cannot set up the SSC in ASDM if you use an IP address that goes through NAT.

Default Settings

Table 54-1 lists the default network settings for modules.

Table 54-1 Default Network Parameters 

Parameters
Default

Management VLAN (SSC only)

VLAN 1

Management IP address

192.168.1.2/24

Management hosts (SSC only)

192.168.1.0/24

Gateway

192.168.1.1



Note The default management IP address on the adaptive security appliance is 192.168.1.1/24.


Configuring the SSC Management Interface

An SSC does not have any external interfaces. You can configure a VLAN as a management VLAN to allow access to an internal management IP address over the backplane. By default, VLAN 1 is enabled for the SSC management address. You can only assign one VLAN as the SSC management VLAN. This section describes how to change the management VLAN. It also describes how to change the default management IP address, allowed hosts, and gateway. See the "Default Settings" section for more information about defaults.

Prerequisites

For the VLAN you want to use for the SSC management interface, configure the switch port and VLAN interface on the ASA 5505 according to the procedures listed in Chapter 6 "Configuring Interfaces." This configuration is required so the SSC interface is physically connected to the network.

Restrictions

Do not configure NAT for the management address if you intend to access it using ASDM. For initial setup with ASDM, you need to access the real address. After initial setup (where you set the password in the SSC), you can configure NAT and supply ASDM with the translated address when you want to access the SSC.

Detailed Steps

 
Command
Purpose

Step 1 

interface vlan number
Example:

hostname(config)# interface vlan 1

Specifies the current management VLAN for which you want to disable SSC management. By default, this is VLAN 1.

Step 2 

no allow-ssc-mgmt
Example:

hostname(config-if)# no allow-ssc-mgmt

Disables SSC management for the old VLAN so that you can enable it for a different VLAN.

Step 3 

interface vlan number
Example:

hostname(config)# interface vlan 20

Specifies the VLAN you want to use as the SSC management VLAN.

Step 4 

allow-ssc-mgmt
Example:

hostname(config-if)# allow-ssc-mgmt

Sets this interface as the SSC management interface.

Step 5 

hw-module module 1 ip ip_address netmask 
gateway
Example:

hostname# hw-module module 1 ip 209.165.200.225 255.255.255.224 209.165.200.245

Configures the management IP address for the SSC. Make sure this address is on the same subnet as the ASA 5505 VLAN interface.

If the management station is on a directly-connected adaptive security appliance network, then set the gateway to be the ASA 5505 VLAN interface address. If the management station is on a remote network, then set the gateway to the address of an upstream router on the management VLAN.

Note These settings are written to the SSC application configuration, not the ASA 5505 configuration. You can view these settings from the ASA 5505 using the show module details command.

You can alternatively use the SSC application setup command to configure this setting from the SSC CLI.

Step 6 

hw-module module 1 allow-ip ip_address 
netmask
Example:

hostname# hw-module module 1 allow-ip 209.165.201.29 255.255.255.224

Sets the hosts that are allowed to access the management IP address.

Note These settings are written to the SSC application configuration, not the ASA 5505 configuration. You can view these settings from the ASA 5505 using the show module details command.

You can alternatively use the SSC application setup command to configure this setting from the SSC CLI.

Examples

The following example configures VLAN 20 as the SSC management VLAN. This VLAN is restricted to management traffic only. Only the host at 10.1.1.30 can access the SSC management IP address. VLAN 20 is assigned to switch port Ethernet 0/0. When you connect to ASDM on ASA interface 10.1.1.1, ASDM then accesses the SSC on 10.1.1.2.

hostname(config)# interface vlan 1
hostname(config-if)# no allow-ssc-mgmt
 
   
hostname(config-if)# interface vlan 20
hostname(config-if)# nameif inside
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# security-level 100
hostname(config-if)# allow-ssc-mgmt
hostname(config-if)# no shutdown
hostname(config-if)# management-only
 
   
hostname(config-if)# hw-module module 1 ip 10.1.1.2 255.255.255.0 10.1.1.1
hostname(config)# hw-module module 1 allow-ip 10.1.1.30 255.255.255.255
 
   
hostname(config)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 20
hostname(config-if)# no shutdown
 
   

Sessioning to the Module

To begin configuring the module, session to the module from the adaptive security appliance. To session to the module from the adaptive security appliance, enter the following command:

Command
Purpose
session 1
Example:

hostname# session 1

Opening command session with slot 1.

Connected to slot 1. Escape character sequence is 'CTRL-^X'.

Accesses the module over the backplane. You are prompted for the username and password. The default username is "cisco" and the default password is "cisco."

Note The first time you log in to the module, you are prompted to change the default password. Passwords must be at least eight characters long and not a word in the dictionary.


Troubleshooting the Module

This section includes procedures that help you recover or troubleshoot the module and includes the following topics:

Management IP Address Troubleshooting

TFTP Troubleshooting

Installing an Image on the Module

Password Troubleshooting

Reloading or Resetting the Module

Shutting Down the Module

Management IP Address Troubleshooting

If you upgrade the ASA 5505 and add an SSC, and you are using the factory default IP address of the ASA 5505, make sure that the default IP address of the ASA 5505 starts at 192.168.1.5, because the factory default IP address of the SSC is 192.168.1.2. If a conflict occurs during configuration, a warning message appears.

TFTP Troubleshooting

At startup, make sure that the TFTP URL download location is valid, because if the ASA 5505 cannot detect a valid image to download, the SSC application does not start and the following error message appears:

Autoboot Error\System Halt

Installing an Image on the Module

If the module suffers a failure and the module application image cannot run, you can transfer application images from a TFTP server to the module using the adaptive security appliance CLI. The adaptive security appliance can communicate with the module ROMMON application to transfer the image.


Note This process can take approximately 15 minutes to complete, depending on your network and the size of the image.

Do not use the upgrade command within the module software to install the image.


Prerequisites

Be sure the TFTP server that you specify can transfer files up to 60 MB in size.

Detailed Steps

 
Command
Purpose

Step 1 

hw-module module 1 recover configure
Example:

hostname# hw-module module 1 recover configure

Image URL [tftp://127.0.0.1/myimage]: tftp://10.1.1.1/ids-newimg

Port IP Address [127.0.0.2]: 10.1.2.10

Port Mask [255.255.255.254]: 255.255.255.0

Gateway IP Address [1.1.2.10]: 10.1.2.254

VLAN ID [0]: 100

Prompts you for the URL for the TFTP server, the management interface IP address and netmask, gateway address, and VLAN ID (the SSC uses the VLAN you configured for management in the "Configuring the SSC Management Interface" section.) These network parameters are configured in ROMMON; the network parameters you configured in the module application configuration (for example in the "Configuring the SSC Management Interface" section) are not available to ROMMON, so you must set them separately here.

If you are modifying a configuration, you can keep the previously configured value by pressing Enter when prompted.

You can view the recovery configuration using the show module 1 recover command.

In multiple context mode, enter this command in the system execution space.

Step 2 

hw-module module 1 recover boot
Example:

hostname# hw-module module 1 recover boot

Transfers the image from the TFTP server to the module and restarts the module.

Step 3 

show module 1 details
Example:

hostname# show module 1 details

Checks the progress of the image transfer and module restart process.

The Status field in the output indicates the operational status of the module. A module operating normally shows a status of "Up." While the adaptive security appliance transfers an application image to the module, the Status field in the output reads "Recover." When the adaptive security appliance completes the image transfer and restarts the module, the newly transferred image is running.

Password Troubleshooting

You can reset the module password to the default; for IPS, password reset is supported if the module is running IPS Version 6.0 or later. The default password is "cisco" (without the quotation marks). After resetting the password, you should change it to a unique value using the module application.

Resetting the module password causes the module to reboot. Services are not available while the module is rebooting.

After you log in and define a new password, you do not need to log in to the software again. If you cannot connect to the software with the new password, restart ASDM and try to log in again.

To reset the module password to the default of "cisco," perform the following steps.

Detailed Steps

Command
Purpose
hw-module module 1 password-reset
Example:

hostname# hw-module module 1 password-reset

Resets the module password to "cisco."


Reloading or Resetting the Module

To reload or reset the module, enter one of the following commands at the adaptive security appliance CLI.

Detailed Steps

Command
Purpose
hw-module module 1 reload
Example:

hostname# hw-module module 1 reload

Reloads the module software.

hw-module module 1 reset
Example:

hostname# hw-module module 1 reset

Performs a hardware reset, and then reloads the module.


Shutting Down the Module

If you restart the adaptive security appliance, the module is not automatically restarted. To shut down the module, perform the following steps at the adaptive security appliance CLI.

Detailed Steps

Command
Purpose
hw-module module 1 shutdown
Example:

hostname# hw-module module 1 shutdown

Shuts down the module.


Monitoring Modules

To check the status of a module, enter one of the following commands:

Command
Purpose
show module

Displays the status.

show module 1 details

Displays additional status information.

show module 1 recover

Displays the network parameters for transferring an image to the module.


Examples

The following is sample output from the show module command for an adaptive security appliance with a CSC SSM installed:

hostname# show module
Mod Card Type                                    Model              Serial No.
--- -------------------------------------------- ------------------ -----------
  0 ASA 5520 Adaptive Security Appliance         ASA5520            JMX1241L05S
  1 ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-10     AF1234BQQL
 
   
Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ---------------- --------------------------
  1 CSC SSM                        Down             6.2.1599.0
 
   

The following is sample output from the show module details command, which provides additional information about an adaptive security appliance with a CSC SSM installed:

hostname# show module 1 details
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module-20
Model: ASA-SSM-20
Hardware version: 1.0
Serial Number: JAF10333331
Firmware version: 1.0(10)0
Software version: Trend Micro InterScan Security Module Version 6.2
App. name: Trend Micro InterScan Security Module
App. version: Version 6.2
Data plane Status: Up
Status: Up 
HTTP Service: Up 
Mail Service: Up 
FTP Service: Up 
Activated: Yes 
Mgmt IP addr: 209.165.200.225 
Mgmt web port: 8443 
 
   

The following is sample output from the show module recover command, which includes recovery details for a adaptive security appliance with a CSC SSM installed:

hostname# show module 1 recover
Module 1 recover parameters. . .
Boot Recovery Image: Yes
Image URL: tftp://10.21.18.1/ids-oldimg
Port IP Address: 209.165.200.230 
Port Mask: 255.255.224.0
Gateway IP Address: 209.165.200.254
 
   

The following is sample output from the show module details command, which provides additional information for a adaptive security appliance with an SSC installedL

hostname# show module 1 details
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Card-5
Hardware version: 0.1
Serial Number: JAB11370240
Firmware version: 1.0(14)3
Software version: 6.2(1)E2
MAC Address Range: 001d.45c2.e832 to 001d.45c2.e832
App. Name: IPS
App. Status: Up
App. Status Desc: Not Applicable
App. Version: 6.2(1)E2
Data plane Status: Up
Status: Up
Mgmt IP Addr: 209.165.201.29
Mgmt Network Mask: 255.255.224.0
Mgmt Gateway: 209.165.201.30 
Mgmt Access List: 209.165.201.31/32
					209.165.202.158/32
					209.165.200.254/24
Mgmt Vlan: 20
 
   

Where to Go Next

To configure the IPS module, see Chapter 55 "Configuring the IPS Module."

To configure the CSC module, see Chapter 56 "Configuring the Content Security and Control Application on the CSC SSM."

Feature History for Modules

Table 54-2 lists each feature change and the platform release in which it was implemented.

Table 54-2 Feature History for the SSM and SSC 

Feature Name
Platform Releases
Feature Information

SSM support for the ASA 5510, 5520, and 5540

ASA 7.0(1)

We introduced SSMs.

The following commands were introduced to manage the SSM: hw-module module {recover | reload | reset | shutdown}, show module, and session.

Password reset

ASA 7.2(2)

The hw-module module password-reset command was introduced.

 

SSC support for the ASA 5505

ASA 8.2(1)

We introduced SSCs for the ASA 5505.

The following commands were introduced: allow-ssc-mgmt, hw-module module ip, and hw-module module allow-ip.