Tuesday, July 31, 2012

Cisco IPS Module (ASA-SSM-10) In ASA: Step By Step Setup/Initial Configuration

Steps I took to install the IPS module into the ASA to the point of configuration of the IPS module.

Unbox the IPS module.
Power down the ASA.
Put the module in the ASA.
Power on the ASA.
When the ASA boots, do a "show module" to make sure the card is recognized.
Put the following settings in the unit:
------------------------
asa# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.

login: cisco
Password:
Change the password.
sensor#
sensor#
sensor# config t
sensor(config)# service host
sensor(config-hos)# network-settings
sensor(config-hos-net)# host-ip 192.168.1.2/24,192.168.1.1
sensor(config-hos-net)# access-list 192.168.1.0/24
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes?[yes]: yes
sensor(config)# exit
sensor# exit
------------------------------
Web browse into HTTPS://192.168.1.2
License the IPS module.
Upgrades:
To upgrade the Engine:
1. Log into IPS module: session 1
2. type config t
3. type upgrade ftp://shane@192.168.1.2/IPS-engine-E4-req-6.2-2.pkg
4. type none
5. sensor reboots

IPS system:
6. log into IPS module
7. type config t
8. type upgrade ftp://shane@192.168.1.2/IPS-K9-6.2-2-E4.pkg
9. type none
10. yes
11. sensor reboots.

Signatures:
12. log into the IPS module
13. config t
12. upgrade ftp://shane@192.168.1.2/IPS-sig-S576-req-E4.pkg
13. type yes

OR, you can do this via web browser.
NOTE: After the upgrade, you may have to go back and put in the networ settings again.  I had to do this before.
sensor# config t
sensor(config)# service host
sensor(config-hos)# network-settings
sensor(config-hos-net)# host-ip 192.168.1.2/24,192.168.1.1
sensor(config-hos-net)# access-list 192.168.1.0/24
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes?[yes]: yes
sensor(config)# exit
sensor# exit


Make all traffic that traverses the ASA go to the IPS module.  We want it to be inline, not promiscuous.  Its more secure.
asa(config)#access-list traffic_for_ips permit ip any any
asa(config)#class-map ips_class_map
asa(config-cmap)#match access-list traffic_for_ips
asa(config)#policy-map global_policy
asa(config-pmap)#class ips_class_map
asa(config-pmap-c)#ips inline fail-open

Service policy is already in place by default for the 'global_policy'.

Next, go in and configure more settings in the web browser.
Posted by