Filter
Top Products
18-2
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 18 Configuring the ASA 5500 AIP SSM
ASA 5500 AIP SSM Configuration Sequence
• IPS appliances reset both the attacker and victim when the Reset TCP Connection is selected and
they reset the victim when Deny Connection Inline is selected. For the ASA IPS modules, TCP
resets are sent by the ASA. The ASA resets the server, which in some cases is the attacker and in
others the victim. The ASA does not always reset the client. The TCP RST packet, which is
automatically generated with a reset action, should be sent to both the target and the attacker.
However, when the ASA IPS modules are in inline mode, and when signature 6251/0 is triggered,
the RST packet generated by Reset TCP Connection is sent to the attacker only.
TCP Reset Differences Between IPS Appliances and ASA IPS Modules
The IPS appliance sends TCP reset packets to both the attacker and victim when reset-tcp-connection is
selected. The IPS appliance sends a TCP reset packet only to the victim under the following
circumstances:
• When a deny-packet-inline or deny-connection-inline is selected
• When TCP-based signatures and reset-tcp-connection have NOT been selected
In the case of the ASA 5500 AIP SSM, the TCP reset request is sent to the ASA, and then the ASA sends
the TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the
reset-tcp-connection is selected. When deny-packet-inline or deny-connection-inline is selected, the
ASA sends the TCP reset packet to either the attacker or victim depending on the configuration of the
signature. Signatures configured to swap the attacker and victim when reporting the alert can cause the
ASA to send the TCP reset packet to the attacker.
Reloading IPS Messages
The following messages generated during some IPS signature and global correlation updates for IPS 7.1
and later on the ASA 5500 AIP SSM can cause confusion since the IPS is not reloading:
ASA5585-SSP-IPS20 Module in slot 1, application up "IPS", version "7.1(1)E4" Normal
Operation
ASA5585-SSP-IPS20 Module in slot 1, application reloading "IPS", version "7.1(1)E4" Config
Change
These messages are generated during some, but not all, of the global correlation updates that are
attempted every five minutes. This is expected behavior. There is a global correlation check every five
minutes, but there may not be an update available, thus the message appears every hour or so. When a
global correlation update actually takes place, a message is sent from the IPS to the ASA indicating that
a configuration change is taking place.
ASA 5500 AIP SSM Configuration Sequence
Perform the following tasks to configure the ASA 5500 AIP SSM:
1. Obtain and install the current IPS software if your software is not up to date.
2. Obtain and install the license key.
3. Log (session) in to the ASA 5500 AIP SSM.
4. Run the setup command to initialize the ASA 5500 AIP SSM.
5. Verify initialization for the ASA 5500 AIP SSM.
6. (Optional) If you have Cisco Adaptive Security Appliance Software 7.2.3 or later, configure
multiple virtual sensors.
7. Configure the adaptive security appliance to send IPS traffic to the ASA 5500 AIP SSM.
8. Perform other initial tasks, such as adding users, trusted hosts, and so forth.