• Getting into the module
• Configuring an IP
• Applying a license
• Setting up a schedule for it to download updated signatures
• Telling the ASA to pass the IPS traffic so it can do something useful
• Backing up the configuration
• Monitoring what the IPS is doing
• Resetting the module or formatting it
• Creating a Service Account
_________________________________________________________
• Getting into the module
First you need to SSH to the ASA and then do a show module to see the status of the IPS. It should look something like this:
!
asa# show mod
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5505 Adaptive Security Appliance ASA5505
1 ASA 5500 Series AIP Security Services Card-5 ASA-SSC-AIP-5
!
Mod SSC Application Name Status SSC Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 6.2(2)E4
In order to do anything beyond looking at the status of the module you will need to get into the ASDM and run through the initial configuration for the IPS.
• Configuring an IP
The configuration assistant will ask you to name the device and to select the network that you want the IPS on. In this case we have it on the inside 192.168.X.0/24 network and have assigned it a .167 address. The username and password are also needed and thats about it. Once you have this completed you can select the Intrusion Prevention tab next to the Firewall Dashboard on the home screen of the ASDM or you can open an https connection to the IP of you gave to the IPS and using Cisco IDM manage the IPS.
• Applying a license
Under configuration you can select the IPS module tab and then scroll down till you licensing. The file that you were given can be uploaded to the module by defining the local path from the update license field.
• Setting up a schedule for it to download updated signatures
In the ASDM you have an easy signature retrieval setup section, the only trouble is that if you leave it set to the default hourly boundary (like 02:00 am) it will error out with something like this: http error response: 500 error
The reason has to do with the time so it's easy enough to set it to something else (like 02:01 am) and it will work fine. Here is a link to the page that describes the fix.
• Telling the ASA to pass the IPS traffic so it can do something useful
The basic setup I have is to send traffic to the Sensor for inspection and if the module fails go around it rather than stop processing. Here is what it looks like on the ASA:
!
class-map ips_class
match access-list IPS
!
policy-map ips_policy
class ips_class
ips inline fail-open <---- important for uptime
! service-policy ips_policy interface outside
! access-list IPS extended permit ip any any
!
• Backing up the configuration
First you need to go into your server (configuration destination accepting ssh connections) and create the config file you are goign to copy over - something like asa-ips.cfg. Now do a chmod 777 and then go to the ASA (or more specifically the IPS module) and then issue this command:
IPS# copy current-config scp://serveripaddress/path/filename-ips.cfg
Password: ******
Generating current config: ..........
It should fail saying something like this:
!
Protocol major versions differ: 1 vs. 2
Unsupported remote protocol version for host, 192.168.X.X - must support SSH version 1
I tried many ways to get the configuration off the box (even changing the SSH version on the server to support v1, which eventually worked). The reason for this error message is that the server I was sending the file to was not known by the sensor. In order to correct this you need to perform the following:
IPS# ssh host-key 192.168.x.x
!
It comes back with a message about the key it's pulled back from the server. You say yes to this. If you now do a "show host-keys" or a "show host-keys 192.168.x.x" you will see that the sensor has pulled in the key for the server and will now pass it's configuration file to it.
Now try the command and after what seems like a century it will produce the config file and pass it to the server. If you have any questions about this process you can look at this link.
I'm sure why this is but I was able to alter the configuration on the server (vi /etc/sshd_config and under #Port 22 change it to "Protocol 1") and reload it. Now you should be able to issue the scp command and succeed in backing up the config.
• Monitoring what the Sensor is doing
In order to verify that the Sensor is in fact "seeing" traffic and acting on it you can enable signatures 2000 and 2004. These are for ICMP messages (pings) and once enabled you should be able to see them trigger by pinging something behind the IPS.
• Resetting the module or formatting it
From the ASA you can reload or reset the module with the following command:
asa# hw-module module 1 ?
allow-ip Allow specific hosts/network to access the module
ip Configure management IP parameters
password-reset Reset the CLI password on the module
recover Configure recovery of this module
reload Reload the module
reset Reset the module
shutdown Shut down the module
• Creating a Service Account
This link has some great info on how to create a services account on the IPS so you can do all kinds of cool unix commands. I created an account in an attempt to get tftp to work but I ended up altering the server to support SSH V1 instead:
http://flylib.com/books/en/2.464.1.133/1/
4 comments:
I just bought this card for my ASA 5505 and upgraded the software to 8.2 and when I boot up the ASA with this card placed into its slot. The ASA will not finish booting. It always stops at the line where it shows the "Processor memory 139661312, Reserved memory: 41943040 (DSOs: 0 + kernel: 41943040)" If i remove the card it boots normally.
This may be a hardware issue with the AIP module. Have you tried calling the Cisco TAC?
I had the same issue. I then came across a line in the Release Notes that said that after a software upgrade, it can take the AIP up to 20 minutes to initialize. Basically, just sit there long enough and it'll continue booting.
Great post. Thanks for taking the time to do so.
Post a Comment