Filter
Top Products
20-2
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 20 Configuring the ASA 5585-X IPS SSP
Configuration Sequence for the ASA 5585-X IPS SSP
• The ASA 5585-X IPS SSP has four types of ports (console, management, GigabitEthernet, and
10GE). The console and management ports (on the right front panel of the ASA 5585-X IPS SSP)
are configured and controlled by IPS software. The GigabitEthernet and 10GE ports (on the left
front panel of the ASA 5585-X IPS SSP) are configured and controlled by ASA software rather than
IPS software. However, when you reset or shut down the ASA 5585-X IPS SSP, the GigabitEthernet
and 10GE ports will also link down. You should reset or shut down the ASA 5585-X IPS SSP during
scheduled maintenance windows to minimize the effect of the link down on these ports.
TCP Reset Differences Between IPS Appliances and ASA IPS Modules
The IPS appliance sends TCP reset packets to both the attacker and victim when reset-tcp-connection is
selected. The IPS appliance sends a TCP reset packet only to the victim under the following
circumstances:
• When a deny-packet-inline or deny-connection-inline is selected
• When TCP-based signatures and reset-tcp-connection have NOT been selected
In the case of the ASA 5585-X IPS SSP, the TCP reset request is sent to the ASA, and then the ASA
sends the TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the
reset-tcp-connection is selected. When deny-packet-inline or deny-connection-inline is selected, the
ASA sends the TCP reset packet to either the attacker or victim depending on the configuration of the
signature. Signatures configured to swap the attacker and victim when reporting the alert can cause the
ASA to send the TCP reset packet to the attacker.
Reloading IPS Messages
The following messages generated during some IPS signature and global correlation updates for IPS 7.1
and later on the ASA 5585-X IPS SSP can cause confusion since the IPS is not reloading:
ASA5585-SSP-IPS20 Module in slot 1, application up "IPS", version "7.1(1)E4" Normal
Operation
ASA5585-SSP-IPS20 Module in slot 1, application reloading "IPS", version "7.1(1)E4" Config
Change
These messages are generated during some, but not all, of the global correlation updates that are
attempted every five minutes. This is expected behavior. There is a global correlation check every five
minutes, but there may not be an update available, thus the message appears every hour or so. When a
global correlation update actually takes place, a message is sent from the IPS to the ASA indicating that
a configuration change is taking place.
Configuration Sequence for the ASA 5585-X IPS SSP
Perform the following tasks to configure the ASA 5585-X IPS SSP:
1. Obtain and install the current IPS software if your software is not up to date.
2. Obtain and install the license key.
3. Log (session) in to the ASA 5585-X IPS SSP.
4. Run the setup command to initialize the ASA 5585-X IPS SSP.
5. Verify initialization for the ASA 5585-X IPS SSP.
6. Configure the adaptive security appliance to send IPS traffic to theASA 5585-X IPS SSP.
7. Perform other initial tasks, such as adding users, trusted hosts, and so forth.
8. Configure intrusion prevention.