Cisco Asdm 7 User Guide

							 
31-17
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Configuring the ASA IPS module
What to Do Next
For the ASA in multiple context mode, see the “Assigning Virtual Sensors to a Security Context 
(ASA 5510 and Higher)” section on page 31-17.
For the ASA in single context mode, see the “Diverting Traffic to the ASA IPS module” section on 
page 31-18.
Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)
If the ASA is in multiple context mode, then you can assign one or more IPS virtual sensors to each 
context. Then, when you configure the context to send traffic to the ASA IPS module, you can specify a 
sensor that is assigned to the context; you cannot specify a sensor that you did not assign to the context. 
If you do not assign any sensors to a context, then the default sensor configured on the ASA IPS module 
is used. You can assign the same sensor to multiple contexts.
NoteYou do not need to be in multiple context mode to use virtual sensors; you can be in single mode and use 
different sensors for different traffic flows.
Prerequisites
For more information about configuring contexts, see the “Configuring Multiple Contexts” section on 
page 8-15 in the general operations configuration guide.
Detailed Steps
Step 1In the ASDM Device List pane, double-click System under the active device IP address.
Step 2On the Context Management > Security Contexts pane, choose a context that you want to configure, and 
click Edit.
The Edit Context dialog box appears. For more information about configuring contexts, see the 
“Configuring Multiple Contexts” section on page 8-15 in the general operations configuration guide.
Step 3In the IPS Sensor Allocation area, click Add.
The IPS Sensor Selection dialog box appears.
Step 4From the Sensor Name drop-down list, choose a sensor name from those configured on the ASA IPS 
module.
Step 5(Optional) To assign a mapped name to the sensor, enter a value in the Mapped Sensor Name field.
This sensor name can be used within the context instead of the actual sensor name. If you do not specify 
a mapped name, the sensor name is used within the context. For security purposes, you might not want 
the context administrator to know which sensors are being used by the context. Or you might want to 
genericize the context configuration. For example, if you want all contexts to use sensors called 
“sensor1” and “sensor2,” then you can map the “highsec” and “lowsec” sensors to sensor1 and sensor2 
in context A, but map the “medsec” and “lowsec” sensors to sensor1 and sensor2 in context B.
Step 6Click OK to return to the Edit Context dialog box.
Step 7(Optional) To set one sensor as the default sensor for this context, from the Default Sensor drop-down 
list, choose a sensor name. 
						

							 
31-18
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Configuring the ASA IPS module
If you do not specify a sensor name when you configure IPS within the context configuration, the context 
uses this default sensor. You can only configure one default sensor per context. If you do not specify a 
sensor as the default, and the context configuration does not include a sensor name, then traffic uses the 
default sensor on the ASA IPS module.
Step 8Repeat this procedure for each security context.
Step 9Change to each context to configure the IPS security policy as described in “Diverting Traffic to the ASA 
IPS module” section on page 31-18.
What to Do Next
Change to each context to configure the IPS security policy as described in “Diverting Traffic to the ASA 
IPS module” section on page 31-18.
Diverting Traffic to the ASA IPS module
This section identifies traffic to divert from the ASA to the ASA IPS module. 
Prerequisites
In multiple context mode, perform these steps in each context execution space. To change to a context, 
in the Configuration > Device List pane, double-click the context name under the active device IP 
address.
Detailed Steps
Step 1Choose Configuration > Firewall > Service Policy Rules.
Step 2Choose Add > Add Service Policy Rule. The Add Service Policy Rule Wizard - Service Policy dialog 
box appears. 
						

							 
31-19
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Managing the ASA IPS module
Step 3Complete the Service Policy dialog box as desired. See the ASDM online help for more information 
about these screens.
Step 4Click Next. The Add Service Policy Rule Wizard - Traffic Classification Criteria dialog box appears.
Step 5Complete the Traffic Classification Criteria dialog box as desired. See the ASDM online help for more 
information about these screens.
Step 6Click Next to show the Add Service Policy Rule Wizard - Rule Actions dialog box.
Step 7Click the Intrusion Prevention tab.
Step 8Check the Enable IPS for this traffic flow check box.
Step 9In the Mode area, click Inline Mode or Promiscuous Mode. See the “Operating Modes” section on 
page 31-3 for more information.
Step 10In the If IPS Card Fails area, click Permit traffic or Close traffic. The Close traffic option sets the ASA 
to block all traffic if the ASA IPS module is unavailable. The Permit traffic option sets the ASA to allow 
all traffic through, uninspected, if the ASA IPS module is unavailable. For information about the IPS 
Sensor Selection area, see the ASDM online help.
Step 11(ASA 5510 and higher) From the IPS Sensor to use drop-down list, choose a virtual sensor name.
If you use virtual sensors, you can specify a sensor name using this option. If you use multiple context 
mode on the ASA, you can only specify sensors that you assigned to the context (see the “Assigning 
Virtual Sensors to a Security Context (ASA 5510 and Higher)” section on page 31-17). If you do not 
specify a sensor name, then the traffic uses the default sensor. In multiple context mode, you can specify 
a default sensor for the context. In single mode or if you do not specify a default sensor in multiple mode, 
the traffic uses the default sensor that is set on the ASA IPS module.
Step 12Click OK and then Apply.
Step 13Repeat this procedure to configure additional traffic flows as desired.
Managing the ASA IPS module 
						

							 
31-20
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Managing the ASA IPS module
This section includes procedures that help you recover or troubleshoot the module and includes the 
following topics:
Installing and Booting an Image on the Module, page 31-20
Shutting Down the Module, page 31-22
Uninstalling a Software Module Image, page 31-22
Resetting the Password, page 31-23
Reloading or Resetting the Module, page 31-24
Installing and Booting an Image on the Module
If the module suffers a failure, and the module application image cannot run, you can reinstall a new 
image on the module from a TFTP server (for a hardware module), or from the local disk (software 
module).
NoteDo not use the upgrade command within the module software to install the image.
Prerequisites
Hardware module—Be sure the TFTP server that you specify can transfer files up to 60 MB in size.
NoteThis process can take approximately 15 minutes to complete, depending on your network 
and the size of the image.
Software module—Copy the image to the ASA internal flash (disk0) before completing this 
procedure.
NoteBefore you download the IPS software to disk0, make sure at least 50% of the flash memory 
is free. When you install IPS, IPS reserves 50% of the internal flash memory for its file 
system. 
						

							 
31-21
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Managing the ASA IPS module
Detailed Steps
Command Purpose
Step 1For a hardware module (for example, the ASA 
5585-X):
hw-module module 1 recover configure
For a software module (for example, the ASA 
5545-X):
sw-module module ips recover configure 
image disk0:file_path
Example:
ciscoasa# hw-module module 1 recover 
configure
Image URL [tftp://127.0.0.1/myimage]: 
tftp://10.1.1.1/ids-newimg
Port IP Address [127.0.0.2]: 10.1.2.10
Port Mask [255.255.255.254]: 255.255.255.0
Gateway IP Address [1.1.2.10]: 10.1.2.254
VLAN ID [0]: 100
Specifies the location of the new image.
For a hardware module—This command prompts you for the URL 
for the TFTP server, the management interface IP address and 
netmask, gateway address, and VLAN ID (ASA 5505 only). 
These network parameters are configured in ROMMON; the 
network parameters you configured in the module application 
configuration are not available to ROMMON, so you must set 
them separately here.
For a software module—Specify the location of the image on the 
local disk.
You can view the recovery configuration using the show module 
{1 | ips} recover command.
In multiple context mode, enter this command in the system 
execution space.
Step 2For a hardware module:
hw-module module 1 recover boot
For a software module:
sw-module module ips recover boot
Example:
ciscoasa# hw-module module 1 recover boot
Installs and boots the IPS module software.
Step 3For a hardware module:
show module 1 details
For a software module:
show module ips details
Example:
ciscoasa# show module 1 details
Checks the progress of the image transfer and module restart 
process. 
The Status field in the output indicates the operational status of 
the module. A module operating normally shows a status of “Up.” 
While the ASA transfers an application image to the module, the 
Status field in the output reads “Recover.” When the ASA 
completes the image transfer and restarts the module, the newly 
transferred image is running. 
						

							 
31-22
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Managing the ASA IPS module
Shutting Down the Module
Shutting down the module software prepares the module to be safely powered off without losing 
configuration data. Note: If you reload the ASA, the module is not automatically shut down, so we 
recommend shutting down the module before reloading the ASA. To gracefully shut down the module, 
perform the following steps at the ASA CLI.
Detailed Steps
Uninstalling a Software Module Image
To uninstall a software module image and associated configuration, perform the following steps.
Detailed Steps
Command Purpose
For a hardware module (for example, the ASA 
5585-X):
hw-module module 1 shutdown
For a software module (for example, the ASA 
5545-X):
sw-module module ips shutdown
Example:
ciscoasa# hw-module module 1 shutdown
Shuts down the module.
Command Purpose
Step 1sw-module module ips uninstall
Example:
ciscoasa# sw-module module ips uninstall
Module ips will be uninstalled. This will 
completely remove the
disk image associated with the sw-module 
including any configuration
that existed within it.
Uninstall module ? [confirm]
Permanently uninstalls the software module image and associated 
configuration.
Step 2reload
Example:
ciscoasa# reload
Reloads the ASA. You must reload the ASA before you can install 
a new module type. 
						

							 
31-23
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Managing the ASA IPS module
Resetting the Password
You can reset the module password to the default. For the user cisco, the default password is cisco. After 
resetting the password, you should change it to a unique value using the module application.
Resetting the module password causes the module to reboot. Services are not available while the module 
is rebooting.
If you cannot connect to ASDM with the new password, restart ASDM and try to log in again. If you 
defined a new password and still have an existing password in ASDM that is different from the new 
password, clear the password cache by choosing File > Clear ASDM Password Cache, then restart 
ASDM and try to log in again.
To reset the module password to the default of cisco, perform the following steps.
Detailed Steps
Step 1From the ASDM menu bar, choose Tools > module Password Reset.
The Password Reset confirmation dialog box appears.
Step 2Click OK to reset the password to the default. 
A dialog box displays the success or failure of the password reset.
Step 3Click Close to close the dialog box. 
						

							 
31-24
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Monitoring the ASA IPS module
Reloading or Resetting the Module
To reload or reset the module, enter one of the following commands at the ASA CLI.
Detailed Steps
Monitoring the ASA IPS module
See the “Intrusion Prevention Tab” section on page 4-28 in the general operations configuration guide. Command Purpose
For a hardware module (for example, the ASA 
5585-X):
hw-module module 1 reload
For a software module (for example, the ASA 
5545-X):
sw-module module ips reload
Example:
ciscoasa# hw-module module 1 reload
Reloads the module software.
For a hardware module:
hw-module module 1 reset
For a software module:
sw-module module ips reset
Example:
ciscoasa# hw-module module 1 reset
Performs a reset, and then reloads the module. 
						

							 
31-25
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Feature History for the ASA IPS module
Feature History for the ASA IPS module
Table 31-2 lists each feature change and the platform release in which it was implemented. ASDM is 
backwards-compatible with multiple platform releases, so the specific ASDM release in which support 
was added is not listed.
Table 31-2 Feature History for the ASA IPS module
Feature NamePlatform 
Releases Feature Information
AIP SSM 7.0(1) We introduced support for the AIP SSM for the ASA 5510, 
5520, and 5540.
The following screen was introduced: Configuration > 
Firewall > Service Policy Rules > Add/Edit Service Policy 
Rule > Intrusion Prevention.
Virtual sensors (ASA 5510 and higher) 8.0(2) Virtual sensor support was introduced. Virtual sensors let 
you configure multiple security policies on the ASA IPS 
module. 
The following screen was modified: Context Management > 
Security Contexts > Edit Context.
AIP SSC for the ASA 5505 8.2(1) We introduced support for the AIP SSC for the ASA 5505.
The following screen was introduced: Configuration > 
Device Setup > SSC Setup.
Support for the ASA IPS SSP-10, -20, -40, and -60 for 
the ASA 5585-X8.2(5)/
8.4(2)We introduced support for the ASA IPS SSP-10, -20, -40, 
and -60 for the ASA 5585-X. You can only install the ASA 
IPS SSP with a matching-level SSP; for example, SSP-10 
and ASA IPS SSP-10.
NoteThe ASA 5585-X is not supported in Version 8.3.
Support for Dual SSPs for SSP-40 and SSP-60 8.4(2) For SSP-40 and SSP-60, you can use two SSPs of the same 
level in the same chassis. Mixed-level SSPs are not 
supported (for example, an SSP-40 with an SSP-60 is not 
supported). Each SSP acts as an independent device, with 
separate configurations and management. You can use the 
two SSPs as a failover pair if desired.
NoteWhen using two SSPs in the chassis, VPN is not 
supported; note, however, that VPN has not been 
disabled.
We did not modify any screens.
Support for the ASA IPS SSP for the ASA 
5512-X through ASA 5555-X8.6(1) We introduced support for the ASA IPS SSP software 
module for the ASA 5512-X, ASA 5515-X, ASA 5525-X, 
ASA 5545-X, and ASA 5555-X.
We did not modify any screens. 
						

							 
31-26
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Feature History for the ASA IPS module