Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
31-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Configuring the ASA IPS module This section describes how to configure the ASA IPS module and includes the following topics: Task Flow for the ASA IPS Module, page 31-7 Connecting the ASA IPS Management Interface, page 31-8 Sessioning to the Module from the ASA (May Be Required), page 31-11 Configuring Basic IPS Module Network Settings, page 31-12 (ASA 5512-X through ASA 5555-X) Booting the Software Module, page 31-12 Configuring the Security Policy on the ASA IPS Module, page 31-15 Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher), page 31-17 Diverting Traffic to the ASA IPS module, page 31-18 Task Flow for the ASA IPS Module Configuring the ASA IPS module is a process that includes configuration of the IPS security policy on the ASA IPS module and then configuration of the ASA to send traffic to the ASA IPS module. To configure the ASA IPS module, perform the following steps: Step 1Cable the ASA IPS management interface. See the “Connecting the ASA IPS Management Interface” section on page 31-8. Step 2Session to the module. Access the IPS CLI over the backplane. For ASDM users, you may need to session to the module to boot the IPS software if it is not running. See the “Sessioning to the Module from the ASA (May Be Required)” section on page 31-11. Step 3(ASA 5512-X through ASA 5555-X; may be required) Install the software module. See the “(ASA 5512-X through ASA 5555-X) Booting the Software Module” section on page 31-12. Step 4Depending on your ASA model: (ASA 5510 and higher) Configure basic network settings for the IPS module. See the “(ASA 5510 and Higher) Configuring Basic Network Settings” section on page 31-13. (ASA 5505) Configure the management VLAN and IP address for the IPS module. See the “(ASA 5505) Configuring Basic Network Settings” section on page 31-14. Step 5On the module, configure the inspection and protection policy, which determines how to inspect traffic and what to do when an intrusion is detected. See the “Configuring the Security Policy on the ASA IPS Module” section on page 31-15. Step 6(ASA 5510 and higher, optional) On the ASA in multiple context mode, specify which IPS virtual sensors are available for each context (if you configured virtual sensors). See the “Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)” section on page 31-17. Step 7On the ASA, identify traffic to divert to the ASA IPS module. See the “Diverting Traffic to the ASA IPS module” section on page 31-18.
31-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Connecting the ASA IPS Management Interface In addition to providing management access to the IPS module, the IPS management interface needs access to an HTTP proxy server or a DNS server and the Internet so it can download global correlation, signature updates, and license requests. This section describes recommended network configurations. Your network may differ. ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Hardware Module), page 31-8 ASA 5512-X through ASA 5555-X (Software Module), page 31-9 ASA 5505, page 31-10 ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Hardware Module) The IPS module includes a separate management interface from the ASA. If you have an inside router If you have an inside router, you can route between the management network, which can include both the ASA Management 0/0 and IPS Management 1/0 interfaces, and the ASA inside network. Be sure to also add a route on the ASA to reach the Management network through the inside router. ASA 5585-X PWR BOOT ALARM ACT VPN PS1 HDD1 PS0 HDD0USBRESET 0 SFP1 SFP01 0 1 2 3 4 5 6 7 MGMT0 1 AU X C ON S OL E PWR BOOT ALARM ACT VPN PS1 HDD1 PS0 HDD0USBRESET 0 SFP1 SFP01 0 1 2 3 4 5 6 7 MGMT0 1 AU X C ON S OL E ASA Management 0/0 Default IP: 192.168.1.1 IPS Management 1/0 Default IP: 192.168.1.2 SSPIPS SSP 334656 ASA Management 0/0 Internet Management PCProxy or DNS Server (for example) RouterASA IPS Management 1/0Outside IPSManagement Inside IPS Default Gateway ASA gateway for Management 334658
31-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you have only one inside network, then you cannot also have a separate management network, which would require an inside router to route between the networks. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. Because the IPS module is a separate device from the ASA, you can configure the IPS Management 1/0 address to be on the same network as the inside interface. ASA 5512-X through ASA 5555-X (Software Module) These models run the IPS module as a software module, and the IPS management interface shares the Management 0/0 interface with the ASA. If you have an inside router If you have an inside router, you can route between the Management 0/0 network, which includes both the ASA and IPS management IP addresses, and the inside network. Be sure to also add a route on the ASA to reach the Management network through the inside router. Internet Layer 2 Switch ASA Inside IPS Management 1/0 ASA Management 0/0 not usedOutside IPS IPS Default Gateway Management PC Proxy or DNS Server (for example) 334660 ASA 5545-X IPS Management 0/0 Default IP: 192.168.1.2 ASA Management 0/0 Default IP: 192.168.1.1 334665 Internet Management PCProxy or DNS Server (for example) RouterASA Management 0/0Outside IPSManagement Inside IPS Default Gateway ASA gateway for Management 334667
31-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you have only one inside network, then you cannot also have a separate management network. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. If you remove the ASA-configured name from the Management 0/0 interface, you can still configure the IPS IP address for that interface. Because the IPS module is essentially a separate device from the ASA, you can configure the IPS management address to be on the same network as the inside interface. NoteYou must remove the ASA-configured name for Management 0/0; if it is configured on the ASA, then the IPS address must be on the same network as the ASA, and that excludes any networks already configured on other ASA interfaces. If the name is not configured, then the IPS address can be on any network, for example, the ASA inside network. ASA 5505 The ASA 5505 does not have a dedicated management interface. You must use an ASA VLAN to access an internal management IP address over the backplane. Connect the management PC to one of the following ports: Ethernet 0/1 through 0/7, which are assigned to VLAN 1. What to Do Next (ASA 5510 and higher) Configure basic network settings. See the “(ASA 5510 and Higher) Configuring Basic Network Settings” section on page 31-13. (ASA 5505) Configure management interface settings. See the “(ASA 5505) Configuring Basic Network Settings” section on page 31-14. Internet Management PCLayer 2 Switch ASA Inside Management 0/0 (IPS only)Outside IPS IPS Default Gateway Proxy or DNS Server (for example) 334669 Security Services Card Slot 12POWER 48VDC 7 POWER over ETHERNET 6543210 Console RESET Ports 1 - 7 VLAN 1 Default ASA IP: 192.168.1.1/IPS IP: 192.168.1.2 Default IPS Gateway: 192.168.1.1 (ASA)ASA 5505 Management PC (IP Address from DHCP) Cisco ASA SSC-05STAT US
31-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Sessioning to the Module from the ASA (May Be Required) To access the IPS module CLI from the ASA, you can session from the ASA. For software modules, you can either session to the module (using Telnet) or create a virtual console session. A console session might be useful if the control plane is down and you cannot establish a Telnet session. You may need to access the CLI if you are using multiple context mode and you need to set basic network settings using the CLI, or for troubleshooting. Detailed Steps Command Purpose Telnet session. For a hardware module (for example, the ASA 5585-X): session 1 For a software module (for example, the ASA 5545-X): session ips Example: ciscoasa# session 1 Opening command session with slot 1. Connected to slot 1. Escape character sequence is CTRL-^X. sensor login: cisco Password: cisco Accesses the module using Telnet. You are prompted for the username and password. The default username is cisco, and the default password is cisco. NoteThe first time you log in to the module, you are prompted to change the default password. Passwords must be at least eight characters long and cannot be a word in the dictionary. Console session (software module only). session ips console Example: ciscoasa# session ips console Establishing console session with slot 1 Opening console session with module ips. Connected to module ips. Escape character sequence is CTRL-SHIFT-6 then x. sensor login: cisco Password: cisco Accesses the module console. You are prompted for the username and password. The default username is cisco, and the default password is cisco. NoteDo not use this command in conjunction with a terminal server where Ctrl-Shift-6, x is the escape sequence to return to the terminal server prompt. Ctrl-Shift-6, x is also the sequence to escape the IPS console and return to the ASA prompt. Therefore, if you try to exit the IPS console in this situation, you instead exit all the way to the terminal server prompt. If you reconnect the terminal server to the ASA, the IPS console session is still active; you can never exit to the ASA prompt. You must use a direct serial connection to return the console to the ASA prompt. Use the session ips command instead.
31-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module (ASA 5512-X through ASA 5555-X) Booting the Software Module Your ASA typically ships with IPS module software present on Disk0. If the module is not running, or if you are adding the IPS module to an existing ASA, you must boot the module software. If you are unsure if the module is running, you will not see the IPS Basic Configuration screen when you run the Startup Wizard (see the “Configuring Basic IPS Module Network Settings” section on page 31-12). Detailed Steps Step 1Do one of the following: New ASA with IPS pre-installed—To view the IPS module software filename in flash memory, choose Tools > File Management. For example, look for a filename like IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip. Note the filename; you will need this filename later in the procedure. Existing ASA with new IPS installation—Download the IPS software from Cisco.com to your computer. If you have a Cisco.com login, you can obtain the software from the following website: http://www.cisco.com/cisco/software/navigator.html?mdfid=282164240 Choose Tools > File Management, then choose File Transfer > Between Local PC and Flash to upload the new image to disk0. Note the filename; you will need this filename later in the procedure. Step 2Choose Tools > Command Line Interface. Step 3To set the IPS module software location in disk0, enter the following command and then click Send: sw-module module ips recover configure image disk0:file_path For example, using the filename in the example in Step 1, enter: sw-module module ips recover configure image disk0:IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip Step 4To install and load the IPS module software, enter the following command and then click Send: sw-module module ips recover boot Step 5To check the progress of the image transfer and module restart process, enter the following command and then click Send: show module ips details The Status field in the output indicates the operational status of the module. A module operating normally shows a status of “Up.” While the ASA transfers an application image to the module, the Status field in the output reads “Recover.” When the ASA completes the image transfer and restarts the module, the newly transferred image is running. Configuring Basic IPS Module Network Settings (ASA 5510 and Higher) Configuring Basic Network Settings, page 31-13 (ASA 5505) Configuring Basic Network Settings, page 31-14
31-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module (ASA 5510 and Higher) Configuring Basic Network Settings In single context mode, you can use the Startup Wizard in ASDM to configure basic IPS network configuration. These settings are saved to the IPS configuration, not the ASA configuration. In multiple context mode, session to the module from the ASA and configure basic settings using the setup command. Note(ASA 5512-X through ASA 5555-X) If you do not see the IPS Basic Configuration screen in your wizard, then the IPS module is not running. See the “(ASA 5512-X through ASA 5555-X) Booting the Software Module” section on page 31-12, and then repeat this procedure after you install the module. Detailed Steps—Single Mode Step 1Choose Wizards > Startup Wizard. Step 2Click Next to advance through the initial screens until you reach the IPS Basic Configuration screen. Step 3In the Network Settings area, configure the following: IP Address—The management IP address. By default, the address is 192.168.1.2. Subnet Mask—The subnet mask for the management IP address. Gateway—The IP address of the upstream router. The IP address of the next hop router. See the “Connecting the ASA IPS Management Interface” section on page 31-8 to understand the requirements for your network. The default setting of the ASA management IP address will not work. HTTP Proxy Server—(Optional) The HTTP proxy server address. You can use a proxy server to download global correlation updates and other information instead of downloading over the Internet. HTTP Proxy Port—(Optional) The HTTP proxy server port. DNS Primary—(Optional) The primary DNS server address. If you are using a DNS server, you must configure at least one DNS server and it must be reachable for global correlation updates to be successful. For global correlation to function, you must have either a DNS server or an HTTP proxy server configured at all times. DNS resolution is supported only for accessing the global correlation update server. Step 4In the Management Access List area, enter an IP address and subnet mask for any hosts that are allowed to access the IPS management interface, and click Add. You can add multiple IP addresses. Step 5In the Cisco Account Password area, set the password for the username cisco and confirm it. The username cisco and this password are used for Telnet sessions from hosts specified by the management ACL and when accessing the IPS module from ASDM (Configuration > IPS). By default, the password is cisco. Step 6In the Network Participation area, which you use to have the IPS module participate in SensorBase data sharing, click Full, Partial, or Off.
31-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps—Multiple Mode Using the CLI (ASA 5505) Configuring Basic Network Settings An ASA IPS module on the ASA 5505 does not have any external interfaces. You can configure a VLAN to allow access to an internal IPS management IP address over the backplane. By default, VLAN 1 is enabled for IPS management. You can only assign one VLAN as the management VLAN. This section describes how to change the management VLAN and IP address if you do not want to use the default, and how to set other required network parameters. NotePerform this configuration on the ASA 5505, not on the ASA IPS module. Prerequisites When you change the IPS VLAN and management address from the default, be sure to also configure the matching ASA VLAN and switch port(s) according to the procedures listed in Chapter 12, “Starting Interface Configuration (ASA 5505),” in the general operations configuration guide. You must define and configure the VLAN for the ASA so the IPS management interface is accessible on the network. Restrictions Do not configure NAT for the management address if you intend to access it using ASDM. For initial setup with ASDM, you need to access the real address. After initial setup (where you set the password on the ASA IPS module), you can configure NAT and supply ASDM with the translated address for accessing the ASA IPS module. Detailed Steps Step 1In ASDM, choose Configuration > Device Setup > SSC Setup. NoteThe following settings are written to the ASA IPS module application configuration, not the ASA configuration. Step 2In the Management Interface area, set the following: a.Choose the Interface VLAN from the drop-down list. This setting allows you to manage the ASA IPS module using this VLAN. Command Purpose Step 1Session to the IPS module according to the “Sessioning to the Module from the ASA (May Be Required)” section on page 31-11. Step 2setup Example: sensor# setup Runs the setup utility for initial configuration of the ASA IPS module. You are prompted for basic settings. For the default gateway, specify the IP address of the upstream router. See the “Connecting the ASA IPS Management Interface” section on page 31-8 to understand the requirements for your network. The default setting of the ASA management IP address will not work.
31-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module b.Enter the IPS management IP address. Make sure this address is on the same subnet as the ASA VLAN IP address. For example, if you assigned 10.1.1.1 to the VLAN for the ASA, then assign another address on that network, such as 10.1.1.2, for the IPS management address. By default, the address is 192.168.1.2 c.Choose the subnet mask from the drop-down list. d.Enter the default gateway IP address. Set the gateway to be the ASA IP address for the management VLAN. By default, this IP address is 192.168.1.1. Step 3In the Management Access List area, enter the following: a.Enter the IP address for the management host network. b.Choose the subnet mask from the drop-down list. c.Click Add to add these settings to the Allowed Hosts/Networks list. Step 4In the IPS Password area, do the following: a.Enter the current password. The default password is cisco. b.Enter the new password, and confirm the change. Step 5Click Apply to save the settings to the running configuration. Step 6To launch the IPS Startup Wizard, click the Configure the IPS SSC module link. Configuring the Security Policy on the ASA IPS Module This section describes how to configure the ASA IPS module application. Detailed Steps Step 1Connect to ASDM using the ASA management IP address. See the “Starting ASDM” section on page 3-14 in the general operations configuration guide. Step 2To access the IPS Device Manager (IDM) from ASDM, click Configuration > IPS.
31-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Step 3Enter the IP address, username and password that you set in the “Configuring Basic IPS Module Network Settings” section on page 31-12, as well as the port. The default IP address and port is 192.168.1.2:443. The default username and password is cisco and cisco. If the password to access IDM is lost, you can reset the password using ASDM. See the “Resetting the Password” section on page 31-23, for more information. Step 4To save the login information on your local PC, check the Save IPS login information on local host check box. Step 5Click Continue. The Startup Wizard pane appears. Step 6Click Launch Startup Wizard. Complete the screens as prompted. For more information, see the IDM online help. (ASA 5510 and higher) If you configure virtual sensors, you identify one of the sensors as the default. If the ASA series does not specify a virtual sensor name in its configuration, the default sensor is used.