AIP SSM-10 - How to Verify Traffic is being passed for inspection?

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

AIP SSM-10 - How to Verify Traffic is being passed for inspection?

Post by Guest » Fri Jun 18, 2010 2:26 pm


Hi There,I have set up an AIP-SSM on our ASA5510 for the first time, following this excellent guide, http://www.cisco.com/en/US/products/ps6 ... .shtml.The difference between the environment used in the doco and ours are the specs of our ASA and module, which are the following, IOS version 8.0(4), ASDM version is 6.1(3), the SSM application version is 6.0(5)E2. I have followed all the steps to enable connectivity to the module from ASDM, created the access list to allow all ip traffic to be passed to the module for inspection the class map and policy map indicating the mode promiscous, fail-open. The service policy is applied globally.The problem i face is that when i try to verify as stated on the guide with the command show events alert on the module CLI i do not get any output, so i'm not sure if traffic is being passed to the module. Can someone plese help me clarifying this?Regards,Esteban

Guest

Re:AIP SSM-10 - How to Verify Traffic is being passed for inspection?

Post by Guest » Fri Jun 18, 2010 3:54 pm


Execute "show conf" on your AIP SSM CLI.  Verify that the GigabitEthernet0/1 backplane interface of the SSM has been assigned to virtual sensor vs0.If it has not, then run "setup" and near the end of the setup wizard there will be an option to edit the interface and virtual sensor configuration.  Use this option to modify the configuration for virtual sensor vs0 and in the interface.You can also run "show stat virtual-sensor vs0" to see the counts of packets being analyzed by vs0.

Guest

Re:AIP SSM-10 - How to Verify Traffic is being passed for inspection?

Post by Guest » Fri Jun 18, 2010 4:38 pm


In addition to what marco suggested also use the following command to see packet sent and received to the MODULEshow service-policy

Guest

Re:AIP SSM-10 - How to Verify Traffic is being passed for inspection?

Post by Guest » Fri Jun 18, 2010 5:47 pm


Guys,Thanks a million to both of you. Great help.Now that i can see the traffic going to the module, i'm wondering the best to test the module. Is there any tool that will allow me to test this IPS module?Regards,Esteban

Guest

Re:AIP SSM-10 - How to Verify Traffic is being passed for inspection?

Post by Guest » Fri Jun 18, 2010 6:21 pm


well you may either run a test using traffic gen. simulators like Nmap or nesusAlternatively you may either enable icmp signature 2051/2 and ping through the module, you will see alert generating for this thus confirming IPS functionality

Post Reply