Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 6.2 - Configuring AIP-SSC-5 [Cisco IPS 4200 Series Sensors]

Table Of Contents

Configuring AIP-SSC-5

AIP-SSC-5 Configuration Sequence

Verifying AIP-SSC-5 Initialization

Configuring the AIP-SSC-5 Management Interface

Understanding the AIP-SSC-5 Management Interface

Changing the AIP-SSC-5 Network Settings

AIP-SSC-5 Management Interface Example

Sending Traffic to AIP-SSC-5

Adaptive Security Appliance and AIP-SSC-5

IPS Traffic Commands

Configuring the Adaptive Security Appliance to Send IPS Traffic to AIP-SSC-5

Adaptive Security Appliance, AIP-SSC-5, and Bypass Mode

Reloading, Shutting Down, Resetting, and Recovering AIP-SSC-5

New and Modified Commands

hw-module module allow-ip

hw-module module ip

Configuring AIP-SSC-5

Note All IPS platforms allow ten concurrent CLI sessions.

This chapter contains procedures that are specific to configuring AIP-SSC-5. It contains the following sections:

•AIP-SSC-5 Configuration Sequence

•Verifying AIP-SSC-5 Initialization

•Configuring the AIP-SSC-5 Management Interface

•Sending Traffic to AIP-SSC-5

•Adaptive Security Appliance, AIP-SSC-5, and Bypass Mode

•Reloading, Shutting Down, Resetting, and Recovering AIP-SSC-5

•New and Modified Commands

AIP-SSC-5 Configuration Sequence

You configure both the adaptive security appliance and IPS software on AIP-SSC-5.

Perform the following tasks to configure AIP-SSC-5:

1. Log (session) in to AIP-SSC-5.

2. Initialize AIP-SSC-5.

Note You do not have to run the setup command to initialize AIP-SSC-5. You can initialize it using ASDM.

3. Verify AIP-SSC-5 initialization.

4. Configure the adaptive security appliance to send IPS traffic to AIP-SSC-5.

5. Perform other initial tasks, such as adding users, trusted hosts, and so forth.

6. Configure intrusion prevention.

7. Perform miscellaneous tasks to keep your AIP-SSC-5 running smoothly.

8. Upgrade the IPS software with new signature updates and service packs.

9. Reimage AIP-SSC-5 when needed.

For More Information

•For the procedure for logging in to AIP-SSC-5, see Logging In to AIP-SSM and AIP-SSC-5, page 2-6

•For the procedure for verifying AIP-SSC-5 initialization, see Verifying AIP-SSC-5 Initialization.

•For the procedure for configuring ASA to send traffic to AIP-SSC-5, see Sending Traffic to AIP-SSC-5.

•For the procedures for setting up the sensor, see Chapter 4, "Setting Up the Sensor."

•For the procedures for configuring intrusion prevention, see Chapter 7, "Configuring Event Action Rules," Chapter 8, "Defining Signatures," Chapter 9, "Configuring Anomaly Detection,"and Chapter 13, "Configuring Attack Response Controller for Blocking and Rate Limiting."

•For the procedures for keeping your AIP-SSC-5 running smoothly, see Chapter 16, "Administrative Tasks for the Sensor."

•For more information on how to obtain Cisco IPS software, see Chapter 22, "Obtaining Software."

•For the procedure for reimaging AIP-SSC-5, see Installing the AIP-SSM and AIP-SSC-5 System Image, page 23-25.

Verifying AIP-SSC-5 Initialization

You can use the show module slot details command to verify that you have initialized AIP-SSC-5 and to verify that you have the correct software version.

To verify initialization, follow these steps:

Step 1 Log in to the adaptive security appliance.

Step 2 Obtain the details about AIP-SSC-5.
asa# show module 1 details
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Card-5
Hardware version: 0.1
Serial Number: JAB11370240
Firmware version: 1.0(14)3
Software version: 6.2(1)E3
MAC Address Range: 001d.45c2.e832 to 001d.45c2.e832
App. Name: IPS
App. Status: Up
App. Status Desc: Not Applicable
App. Version: 6.2(1)E2
Data plane Status: Up
Status: Up
Mgmt IP Addr: 209.165.201.29
Mgmt Network Mask: 255.255.224.0
Mgmt Gateway: 209.165.201.30 
Mgmt Access List: 209.165.201.31/32
					209.165.202.158/32
					209.165.200.254/24
Mgmt Vlan: 20
asa#
Step 3 Confirm the information.

Configuring the AIP-SSC-5 Management Interface

This section describes the AIP-SSC-5 default network settings, how to change them, and provides examples. It contains the following topics:

•Understanding the AIP-SSC-5 Management Interface

•Changing the AIP-SSC-5 Network Settings

•AIP-SSC-5 Management Interface Example

Understanding the AIP-SSC-5 Management Interface

An AIP-SSC-5 does not have any external interfaces. You configure a VLAN as a management VLAN to allow access to an internal management IP address over the backplane. By default, VLAN 1 is enabled for the AIP-SSC-5 management address. You can only assign one VLAN as the AIP-SSC-5 management VLAN.

Table 18-1 lists the default network settings for AIP-SSC-5.

Table 18-1 Default Network Parameters

Parameters

Default

Management VLAN

VLAN 1

Management IP address

192.168.1.2/24

Management hosts

192.168.1.0/24

Gateway

192.168.1.1

Note The default management IP address on the adaptive security appliance is 192.168.1.1/24.

Note The management IP address, hosts, and gateway settings are written to the AIP-SSC-5 configuration, not the adaptive security appliance configuration. You can view these settings from the ASA 5505 using the show module details command. You can also run the setup command from the AIP-SSC-5 CLI to configure this setting.

For More Information

•For the procedure for running the setup command, see Basic Sensor Setup, page 3-3.

•For the procedure for changing the network settings, see Changing the AIP-SSC-5 Network Settings.

Changing the AIP-SSC-5 Network Settings

To change the default settings on AIP-SSC-5, follow these steps:

Step 1 Log in to the adaptive security appliance.

Step 2 Enter configuration mode.
asa# configure terminal
Step 3 Verify the current management VLAN. By default, this is VLAN 1.
asa (config)# interface vlan number
asa (config)# interface vlan 1
Step 4 Disable AIP-SSC-5 management.
asa (config-if)# no allow-ssc-mgmt
Step 5 Specify the new AIP-SSC-5 management interface.
asa(config)# interface vlan number
asa(config)# interface vlan 20
Step 6 Set the management IP address for AIP-SSC-5.
asa (config-if)# allow-ssc-mgmt
Make sure the address is on the same subnet as the adaptive security appliance VLAN interface.

Step 7 Configure the AIP-SSC-5 management interface.
asa# hw-module module 1 ip ip_address netmask gateway
asa# hw-module module 1 ip 209.165.200.255 255.255.255.224 209.165.200.245
If the management station is on a directly connected adaptive security appliance network, set the gateway to be the adaptive security appliance interface address. If the management station is on a remote network, set the gateway to the address of an upstream router on the management VLAN.

Step 8 Set the hosts allowed to access the management IP address.
asa# hw-module module 1 allow-ip ip_address netmask
asa# hw-module module 1 ip allow-ip 209.165.200.255 255.255.255.224
Step 9 Verify the settings.
asa# show running-config
Step 10 Exit and save the configuration.

For More Information

•For an example management interface example, see AIP-SSC-5 Management Interface Example.

•For a list of the default network settings, see Understanding the AIP-SSC-5 Management Interface.

AIP-SSC-5 Management Interface Example

The following example configures VLAN 20 as the AIP-SSC-5 management VLAN. This VLAN is restricted to management traffic only. Only the host at 10.1.1.30 can access the AIP-SSC-5 management IP address. VLAN 20 is assigned to switch port Ethernet 0/0. When you connect to ASDM on ASA interface 10.1.1.1, ASDM then accesses AIP-SSC-5 on 10.1.1.2.
hostname(config)# interface vlan 1
hostname(config-if)# no allow-ssc-mgmt
hostname(config-if)# interface vlan 20
hostname(config-if)# nameif inside
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# security-level 100
hostname(config-if)# allow-ssc-mgmt
hostname(config-if)# no shutdown
hostname(config-if)# management-only
hostname(config-if)# hw-module module 1 ip 10.1.1.2 255.255.255.0 10.1.1.1
hostname(config)# hw-module module 1 allow-ip 10.1.1.30 255.255.255.255
hostname(config)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 20
hostname(config-if)# no shutdown
For More Information

For the procedure to change network settings, see Changing the AIP-SSC-5 Network Settings.

Sending Traffic to AIP-SSC-5

This section describes how to configure AIP-SSC-5 to receive IPS traffic from the adaptive security appliance (Inline or promiscuous mode). AIP-SSC-5 must be running Cisco Adaptive Security Appliance Software 8.2 or later. It contains the following topics:

•Adaptive Security Appliance and AIP-SSC-5

•IPS Traffic Commands

•Configuring the Adaptive Security Appliance to Send IPS Traffic to AIP-SSC-5

Adaptive Security Appliance and AIP-SSC-5

The adaptive security appliance diverts packets to AIP-SSC-5 just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to AIP-SSC-5.

You can configure AIP-SSC-5 to inspect traffic in Inline or promiscuous mode and in fail-open or fail-over mode.

Perform these steps on the adaptive security appliance to identify traffic to be diverted to and inspected by AIP-SSC-5:

1. Create or use an existing ACL.

2. Use the class-map command to define the IPS traffic class.

3. Use the policy-map command to create an IPS policy map by associating the traffic class with one or more actions.

4. Use the service-policy command to create an IPS security policy by associating the policy map with one or more interfaces.

You can use the adaptive security appliance CLI or ASDM to configure IPS traffic inspection.

IPS Traffic Commands

Note For more information on these commands, refer to "Using Modular Policy Framework," in Cisco Security Appliance Command Line Configuration Guide.

The following options apply:

•access-list word—Configures an access control element; word is the access list identifier (up to 241 characters).

•class-map class_map_name—Defines the IPS traffic class.

•match—Identifies the traffic included in the traffic class.

A traffic class map contains a match command. When a packet is matched against a class map, the match result is either a match or a no match.

–access-list—Matches an access list.

–any—Matches any packet.

•policy-map policy_map_name—Creates an IPS policy map by associating the traffic class with one or more actions.

•ips {inline | promiscuous] [fail-open | fail-close} [sensor sensor_name]—Assigns traffic from the adaptive security appliance to a specified virtual sensor on AIP-SSC-5. If no virtual sensor is specified, traffic is assigned to the default virtual sensor. Supported modes are single or multi mode, user context, config mode, and policy map class submode.

Note AIP-SSC-5 does not support virtualization.

–inline—Places AIP-SSC-5 directly in the traffic flow.

No traffic can continue through the adaptive security appliance without first passing through and being inspected by AIP-SSC-5. This mode is the most secure because every packet is analyzed before being permitted through. Also, AIP-SSC-5 can implement a blocking policy on a packet-by-packet basis. This mode, however, can affect throughput.

–promiscuous—Sends a duplicate stream of traffic to AIP-SSC-5.

This mode is less secure, but has little impact on traffic throughput. Unlike when in inline mode, AIP-SSC-5 cannot block traffic by instructing the adaptive security appliance to block the traffic or by resetting a connection on the adaptive security appliance.

–fail-close—Sets the adaptive security appliance to block all traffic if AIP-SSC-5 is unavailable.

–fail-open—Sets the adaptive security appliance to permit all traffic through, uninspected, if AIP-SSC-5 is unavailable.

Note The adaptive security appliance fail-open/fail-close behavior depends on low-level heartbeats, which are turned off when AIP-SSC-5 is shut down or reset. If AIP-SSC-5 fails, the adaptive security appliance cannot detect this failure because the heartbeats are still received. For inline inspection of traffic, use IPS bypass mode to drop or permit traffic through.

–sensor sensor_name—Name of the allocated virtual sensor. If the sensor name was mapped, the mapped name is used. Otherwise, the real sensor name is used.

•service-policy service_policy_name {global | interface interface_name}—Creates an IPS security policy by associating the policy map with one or more interfaces.

–global—Applies the policy map to all interfaces.

Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.

–interface—Applies the policy to one interface.

You can assign a different policy for each interface.

For More Information

For more information about AIP-SSC-5, the adaptive security appliance, and bypass mode, see Adaptive Security Appliance, AIP-SSC-5, and Bypass Mode.

Configuring the Adaptive Security Appliance to Send IPS Traffic to AIP-SSC-5

To send traffic from the adaptive security appliance to AIP-SSC-5 for the IPS to inspect, follow these steps:

Step 1 Log in to the adaptive security appliance.

Step 2 Enter configuration mode.
asa# configure terminal
Step 3 Create an IPS access list.
asa(config)# access-list IPS permit ip any any
Step 4 Define an IPS class map to identify the traffic you want to send to AIP-SSC-5.
asa(config)# class-map class_map_name
Example
asa(config)# class-map ips_class
Note You can create multiple traffic class maps to send multiple traffic classes to AIP-SSC-5.

Step 5 Specify the traffic in the class map.
asa(config-cmap)# match parameter
Example
asa(config-cmap)# match [access-list | any]
Step 6 Add an IPS policy map that sets the actions to take with the class map traffic.
asa(config-cmap)# policy-map policy_map_name
Example
asa(config-cmap)# policy-map ips_policy
Step 7 Identify the class map you created in Step 4.
asa(config-pmap)# class class_map_name
Example
asa(config-pmap)# class ips_class
Step 8 Assign traffic to AIP-SSC-5.
asa(config-pmap-c)# ips {inline | promiscuous] [fail-close | fail-open}
Example
asa(config-pmap-c)# ips promiscuous fail-close
Step 9 (Optional) If you created multiple traffic class maps for IPS traffic, you can specify another class.
asa(config-pmap)# class class_map_name_2
Example
asa(config-pmap)# class ips_class_2
Step 10 (Optional) Specify the second class of traffic to send to AIP-SSC-5.
asa(config-pmap-c)# ips {inline | promiscuous] [fail-close | fail-open}
Example
asa(config-pmap-c)# ips promiscuous fail-close
Step 11 Activate the IPS service policy map on one or more interfaces.
asa(config)# service-policy policymap_name {global | interface interface_name}
Example
asa(config)# service-policy tcp_bypass_policy outside
Step 12 Verify the settings.
asa# show running-config
Step 13 Exit and save the configuration.
For More Information

For more information on bypass mode, see Adaptive Security Appliance, AIP-SSC-5, and Bypass Mode.

Adaptive Security Appliance, AIP-SSC-5, and Bypass Mode

The following conditions apply to bypass mode, the adaptive security appliance, and AIP-SSC-5:

•Bypass Auto or Off

The adaptive security appliance permits or blocks traffic from going through according to the configured fail-open or fail-close rules when AIP-SSC-5 is shut down or reset.

•Bypass Auto

If SensorApp stops on AIP-SSC-5, the adaptive security appliance permits all traffic through regardless of the configured fail-open or fail-close rules, because the AIP-SSC-5 NIC driver is still functioning and passing heartbeat packets.

•Bypass Off

If SensorApp stops on AIP-SSC-5, the adaptive security appliance stops all traffic from going through regardless of the configured fail-open or fail-close rules.

For More Information

For more information on bypass mode, see Inline Bypass Mode, page 5-33.

Reloading, Shutting Down, Resetting, and Recovering AIP-SSC-5

Note You can enter the hw-module commands from privileged EXEC mode or from global configuration mode. You can enter the commands in single routed mode and single transparent mode. For adaptive security devices operating in multi-mode (routed or transparent multi-mode) you can only execute the hw-module commands from the system context (not from administrator or user contexts).

Use the following commands to reload, shut down, reset, recover the password, and recover AIP-SSC-5 directly from the adaptive security appliance:

•hw-module module slot_number reload

This command reloads the software on AIP-SSC-5 without doing a hardware reset. It is effective only when the AIP-SSC-5 is in the Up state.

•hw-module module slot_number shutdown

This command shuts down the software on AIP-SSC-5. It is effective only when AIP-SSC-5 is in Up state.

•hw-module module slot_number reset

This command performs a hardware reset of AIP-SSC-5. It is applicable when AIP-SSC-5 is in the Up/Down/Unresponsive/Recover states.

•hw-module module slot_number password-reset

This command restores the cisco CLI account password on AIP-SSC-5 to the default cisco.

•hw-module module slot_number recover [boot | stop | configure]

The recover command displays a set of interactive options for setting or changing the recovery parameters. To change the parameter or keep the existing setting, press Enter.

Caution AIP-SSC-5 can take up to 20 minutes to come online when it reboots after the installation of a new system image. You must let the process complete before you can make configuration changes to AIP-SSC-5. If you try to modify and save configuration changes before the process is complete, you receive an error message.

–hw-module module slot_number recover boot

This command initiates recovery of AIP-SSC-5. It is applicable only when AIP-SSC-5 is in the Up state.

–hw-module module slot_number recover stop

This command stops recovery of AIP-SSC-5. It is applicable only when AIP-SSC-5 is in the Recover state.

Caution If AIP-SSC-5 recovery needs to be stopped, you must issue the hw-module module 1 recover stop command within 30 to 45 seconds after starting AIP-SSC-5 recovery. Waiting any longer can lead to unexpected consequences. For example, AIP-SSC-5 may come up in the Unresponsive state.

–hw-module module 1 recover configure

Use this command to configure parameters for AIP-SSC-5 recovery. The essential parameters are the IP address and recovery image TFTP URL location.

Example
aip-ssc# hardware-module module 1 recover configure
Image URL [tftp://10.89.146.1/IPS-SSC-K9-sys-1.1-a-6.2-1-E3.img]: 
Port IP Address [10.89.149.226]: 
VLAN ID [0]: 
Gateway IP Address [10.89.149.254]: 
For More Information

For the procedure for recovering AIP-SSC-5, see Installing the AIP-SSM and AIP-SSC-5 System Image, page 23-25.

New and Modified Commands

Note All other Cisco ASA CLI commands are documented in the Cisco Security Appliance Command Reference on Cisco.com at http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html.

This section describes the new and modified Cisco ASA commands that support AIP-SSC-5 and are used to configure AIP-SSC-5. It contains the following topics:

•hw-module module allow-ip

•hw-module module ip

hw-module module allow-ip

To configure host parameters on AIP-SSC-5, use the hw-module module allow-ip command in privileged EXEC mode.

hw-module module slot_number allow-ip ip_address netmask
Syntax Description

allow-ip ip_ address

Specifies the allowed host IP address on AIP-SSC-5.

netmask

Specifies the allowed host network mask on AIP-SSC-5.

slot_num

Specifies the slot number, which is always 1.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

—

•

Command History

Release

Modification

8.2(1)

This command was introduced.

Usage Guidelines

This command is only valid when the AIP-SSC-5 status is Up. Default values that are currently in effect are provided. To obtain these values, use the show module details command. These settings are saved as part of the AIP-SSC-5 configuration.

Examples

The following example shows how to configure host parameters on AIP-SSC-5:
hostname# hw-module module 1 allow-ip 209.165.201.29 255.255.255.0
Related Commands

Command

Description

hw-module module ip

Allows you to configure AIP-SSC-5 management parameters.

show module

Shows AIP-SSC-5 status information.

hw-module module ip

To configure AIP-SSC-5 management parameters, use the hw-module module ip command in privileged EXEC mode.

hw-module module slot_number ip ip_address netmask gateway
Syntax Description

gateway

Specifies the AIP-SSC-5 management gateway IP address.

ip ip_address

Specifies the AIP-SSC-5 management IP address.

netmask

Specifies the AIP-SSC-5 management network mask.

slot_num

Specifies the slot number, which is always 1.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

—

•

Command History

Release

Modification

8.2(1)

This command was introduced.

Usage Guidelines

This command is only valid when the AIP-SSC-5 status is Up. Default values that are currently in effect are provided. To obtain these values, use the show module details command. These settings are saved as part of the AIP-SSC-5 configuration.

Examples

The following example shows how to configure management parameters for AIP-SSC-5:
hostname# hw-module module 1 ip 209.165.200.30 255.255.255.0 209.165.200.254
Related Commands

Command

Description

hw-module module allow-ip

Allows you to configure AIP-SSC-5 host parameters.

show module

Shows AIP-SSC-5 status information.