14-2
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Chapter 14 Configuring AIP-SSM
Verifying AIP-SSM Initialization
8.
Upgrade the IPS software with new signature updates and service packs.
For more information, see
Obtaining Cisco IPS Software, page 18-1
.
9.
Reimage AIP-SSM when needed.
For the procedure, see
Installing the AIP-SSM System Image, page 17-36
.
Verifying AIP-SSM Initialization
You can use the
show module
slot
details
command to verify that you have initialized AIP-SSM and to
verify that you have the correct software version.
To verify initialization, follow these steps:
Step 1
Log in to ASA.
Step 2
Obtain the details about AIP-SSM:
hostname#
show module 1 details
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module-20
Model: AIP-SSM-20
Hardware version: 0.2
Serial Number: P2B000005D0
Firmware version: 1.0(10)0
Software version: 5.0(0.27)S129.0
Status: Up
Mgmt IP addr: 10.89.149.219
Mgmt web ports: 881
Mgmt TLS enabled: false
hostname#
Step 3
Confirm the information. If you need to change anything, for the tasks you need to perform to update
AIP-SSM settings, see
Configuration Sequence, page 14-1
.
Sending Traffic to AIP-SSM
This section describes how to configure AIP-SSM to receive IPS traffic from ASA (inline or
promiscuous mode), and contains the following sections:
•
Overview, page 14-2
•
Configuring ASA to Send IPS Traffic to AIP-SSM, page 14-3
Overview
ASA diverts packets to AIP-SSM just before the packet exits the egress interface (or before VPN
encryption occurs, if configured) and after other firewall policies are applied. For example, packets that
are blocked by an access list are not forwarded to AIP-SSM.
You can configure AIP-SSM to inspect traffic in inline or promiscuous mode and in fail-open or fail-over
mode.