Table Of Contents

Installing and Removing the ASA 5500 AIP SSM

Contents

Installation Notes and Caveats

Product Overview

Specifications

Memory Specifications

Hardware and Software Requirements

Indicators

Installation and Removal Instructions

Installing the ASA 5500 AIP SSM

Verifying the Status of the ASA 5500 AIP SSM

Removing the ASA 5500 AIP SSM

Installing and Removing the ASA 5500 AIP SSM

---

Contents

This chapter describes the ASA 5500 AIP SSM and contains the following sections:

•Installation Notes and Caveats

•Product Overview

•Specifications

•Memory Specifications

•Hardware and Software Requirements

•Indicators

•Installation and Removal Instructions

Installation Notes and Caveats

Pay attention to the following installation notes and caveats before installing the ASA 5500 AIP SSM.

---

Note Read through the entire guide before beginning any of the installation procedures.

---

Warning Only trained and qualified personnel should install, replace, or service this equipment. Statement 49

---

Caution Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco ASA 5500 Series Adaptive Security Appliance document and follow proper safety procedures when performing the steps in this guide.

---

Product Overview

The Cisco ASA Advanced Inspection and Prevention Security Services Module (ASA 5500 AIP SSM) is the IPS plug-in module in the Cisco ASA 5500 series adaptive security appliance. The adaptive security appliance software integrates firewall, VPN, and intrusion detection and prevention capabilities in a single platform.

The ASA 5500 AIP SSM monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When the ASA 5500 AIP SSM detects unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the device manager.

There are three models of the ASA 5500 AIP SSM:

•ASA-SSM-AIP-10-K9

–Supports 150 Mbps of IPS throughput when installed in ASA 5510

–Supports 225 Mbps of IPS throughput when installed in ASA 5520

•ASA-SSM-AIP-20-K9

–Supports 375 Mbps of IPS throughput when installed in ASA 5520

–Supports 500 Mbps of IPS throughput when installed in ASA 5540

•ASA-SSM-AIP-40-K9

–Supports 450 Mbps of IPS throughput on the ASA 5520

–Supports 650 Mbps IPS throughput on ASA 5540

Figure 8-1 shows the AIP SSM-40.

Figure 8-1 AIP SSM-40

The ASA 5500 AIP SSM runs in either inline or promiscuous mode. The adaptive security appliance diverts packets to the ASA 5500 AIP SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to the ASA 5500 AIP SSM.

In promiscuous mode, the IPS receives packets over the GigabitEthernet interface, examines them for intrusive behavior, and generates alerts based on a positive result of the examination. In inline mode, there is the additional step of sending all packets, which did not result in an intrusion, back out the GigabitEthernet interface.

Figure 8-2 shows the adaptive security appliance with the ASA 5500 AIP SSM in a typical DMZ configuration. A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network. The web server is on the DMZ interface, and HTTP clients from both the inside and outside networks can access the web server securely.

Figure 8-2 DMZ Configuration

In Figure 8-2 an HTTP client (10.10.10.10) on the inside network initiates HTTP communications with the DMZ web server (30.30.30.30). HTTP access to the DMZ web server is provided for all clients on the Internet; all other communications are denied. The network is configured to use an IP pool (a range of IP addresses available to the DMZ interface) of addresses between 30.30.30.50 and 30.30.30.60.

For More Information

•For more information on setting up the adaptive security appliance, refer to the Getting Started Guides found at this URL:

http://www.cisco.com/en/US/products/ps6120/prod_installation_guides_list.html

•For more information on installing the ASA 5500 AIP SSM, see Installing the ASA 5500 AIP SSM.

•For more information on configuring the ASA 5500 AIP SSM to receive IPS traffic, refer to Configuring the ASA 5500 AIP SSM.

Specifications

Table 8-1 lists the specifications for the ASA 5500 AIP SSM:

Table 8-1 ASA 5500 AIP SSM Specifications 

Specification	Description
Dimensions (H x W x D)	1.70 x 6.80 x 11.00 inches
Weight	Minimum: 2.50 lb Maximum: 3.00 lb1
Operating temperature	+32° to +104°F (+0° to +40°C)
Nonoperating temperature	-40° to +167°F (-40° to +75°C)
Humidity	10% to 90%, noncondensing

1 2.70 lb for 45 c heatsink, approximately 3.00 lb for the 55c maximum

Memory Specifications

Table 8-2 lists the memory specifications for the ASA 5500 AIP SSM.

Table 8-2 ASA 5500 AIP SSM Memory Specifications

Model	CPU	DRAM
ASA-SSM-AIP-10-K9	2.0 GHz Celeron	1.0 GB
ASA-SSM-AIP-20-K9	2.4 GHz Pentium 4	2.0 GB

Hardware and Software Requirements

The ASA 5500 AIP SSM has the following hardware and software requirements:

•Cisco ASA 5500 series adaptive security appliance

–ASA 5510 (ASA-SSM-AIP-10-K9)

–ASA 5520 (ASA-SSM-AIP-10-K9 and ASA-SSM-AIP-20-K9)

–ASA 5540 (ASA-SSM-AIP-20-K9)

•Cisco Adaptive Security Appliance Software 7.0 or later

•Cisco Intrusion Prevention System Software 5.0(2) or later

•DES or 3DES-enabled

Indicators

Figure 8-3 shows the ASA 5500 AIP SSM indicators.

Figure 8-3 ASA 5500 AIP SSM Indicators

Table 8-3 describes the ASA 5500 AIP SSM indicators.

Table 8-3 ASA 5500 AIP SSM Indicators

	LED	Color	State	Description
1	PWR	Green	On	The system has power.
2	STATUS	Green	Flashing	The system is booting.
			Solid	The system has passed power-up diagnostics.
3	LINK/ACT	Green	Solid	There is Ethernet link.
			Flashing	There is Ethernet activity.
4	SPEED	Green Amber	100 MB	There is network activity.
			1000 MB (GigabitEthernet)	There is network activity.

Installation and Removal Instructions

This section describes how to install and remove the ASA 5500 AIP SSM, and contains the following topics:

•Installing the ASA 5500 AIP SSM

•Verifying the Status of the ASA 5500 AIP SSM

•Removing the ASA 5500 AIP SSM

Installing the ASA 5500 AIP SSM

To install the ASA 5500 AIP SSM for the first time, follow these steps:

---

Step 1 Power off the adaptive security appliance.

Step 2 Locate the grounding strap from the accessory kit and fasten it to your wrist so that it contacts your bare skin. Attach the other end to the chassis.

Step 3 Remove the two screws at the left back end of the chassis, and remove the slot cover.

---

Note Store the slot cover in a safe place for future use. You must install slot covers on all empty slots. This prevents EMI, which can disrupt other equipment.

---

Step 4 Insert the ASA 5500 AIP SSM through the slot opening.

Step 5 Attach the screws to secure the ASA 5500 AIP SSM to the chassis.

Step 6 Power on the adaptive security appliance by pushing the power switch at the back of the chassis.

Step 7 Check the indicators. If the ASA 5500 AIP SSM is properly installed, the POWER indicator is solid green and the STATUS indicator is flashing green. You can also verify that the ASA 5500 AIP SSM is online using the show module 1 command.

Step 8 Initialize the ASA 5500 AIP SSM.

Step 9 Install the most recent Cisco IPS software.

Step 10 Configure the ASA 5500 AIP SSM to receive IPS traffic.

---

For More Information

•For more information about ESD, see Working in an ESD Environment.

•For the procedure for verifying that the ASA 5500 AIP SSM is properly installed, see Verifying the Status of the ASA 5500 AIP SSM.

•For the procedure for using the setup command to initialize the ASA 5500 AIP SSM, see "Initializing the Sensor.".

•For the procedure for obtaining the latest Cisco IPS software, see Obtaining Cisco IPS Software.

•For the procedure for configuring the ASA 5500 AIP SSM to receive IPS traffic, refer to Configuring the ASA 5500 AIP SSM.

•For the procedure for using HTTPS to log in to the IDM, refer to Logging In to the IDM.

Verifying the Status of the ASA 5500 AIP SSM

You can use the show module 1 command to verify that the ASA 5500 AIP SSM is up and running.

The following values are valid for the Status field:

•Initializing—The ASA 5500 AIP SSM is being detected and the control communication is being initialized by the system.

•Up—The ASA 5500 AIP SSM has completed initialization by the system.

•Unresponsive—The system encountered an error communicating with the ASA 5500 AIP SSM.

•Reloading—The ASA 5500 AIP SSM is reloading.

•Shutting Down—The ASA 5500 AIP SSM is shutting down.

•Down—The ASA 5500 AIP SSM is shut down.

•Recover—The ASA 5500 AIP SSM is attempting to download a recovery image.

To verify the status of the ASA 5500 AIP SSM, follow these steps:

---

Step 1 Log in to the adaptive security appliance.

Step 2 Verify the status of ASA 5500 AIP SSM. If the status reads Up, the ASA 5500 AIP SSM has been properly installed.

asa# show module 1

Mod Card Type                                    Model              Serial No.

--- -------------------------------------------- ------------------ -----------

  1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         P2B000005D0

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version

--- --------------------------------- ------------ ------------ ---------------

  1 000b.fcf8.0144 to 000b.fcf8.0144  0.2          1.0(9)0      5.0(0.27)S129.0

Mod Status

--- ------------------

  1 Up

asa#

---

Removing the ASA 5500 AIP SSM

To remove the ASA 5500 AIP SSM from the adaptive security appliance, follow these steps:

---

Step 1 Shut down the ASA 5500 AIP SSM.

asa# hw-module module 1 shutdown

Shutdown module in slot 1? [confirm]

Step 2 Press Enter to confirm.

Step 3 Verify that the ASA 5500 AIP SSM is shut down by checking the indicators.

Step 4 Power off the adaptive security appliance.

Step 5 Locate the grounding strap from the accessory kit and fasten it to your wrist so that it contacts your bare skin. Attach the other end to the chassis.

Step 6 Remove the two screws at the left back end of the chassis.

Step 7 Remove the ASA 5500 AIP SSM and set it aside.

---

Note If you are not replacing the ASA 5500 AIP SSM immediately, install the blank slot cover. Slot covers must cover all empty slots. This prevents EMI from disrupting other equipment.

---

Step 8 If you need to replace the existing the ASA 5500 AIP SSM, insert the new ASA 5500 AIP SSM through the slot opening.

---

Note Do not replace the ASA 5500 AIP SSM with a different model. The the adaptive security appliance will not recognize it.

---

Step 9 Attach the screws to secure the ASA 5500 AIP SSM to the chassis.

Step 10 Power on the adaptive security appliance.

Step 11 Reset the ASA 5500 AIP SSM.

asa# hw-module module 1 reset

Reset module in slot 1? [confirm]

Step 12 Press Enter to confirm.

Step 13 Check the indicators to see if the ASA 5500 AIP SSM is properly installed. If the ASA 5500 AIP SSM is properly installed, the POWER indicator is solid green and the STATUS indicator is flashing green. Or you can verify installation using the show module 1command.

---

For More Information

•For more information on ESD, see Safety Recommendations.

•For the procedure for verifying whether the ASA 5500 AIP SSM is properly installed, see Verifying the Status of the ASA 5500 AIP SSM.