Installing and Removing the ASA 5500 AIP SSM
Contents
This chapter describes the ASA 5500 AIP SSM and contains the following sections:
Installation Notes and Caveats
Pay attention to the following installation notes and caveats before installing the ASA 5500 AIP SSM.
Note Read through the entire guide before beginning any of the installation procedures.
Warning Only trained and qualified personnel should install, replace, or service this equipment. Statement 49
Caution Read the safety warnings in the
Regulatory Compliance and Safety Information for the Cisco ASA 5500 Series Adaptive Security Appliance document and follow proper safety procedures when performing the steps in this guide.
Product Overview
The Cisco ASA Advanced Inspection and Prevention Security Services Module (ASA 5500 AIP SSM) is the IPS plug-in module in the Cisco ASA 5500 series adaptive security appliance. The adaptive security appliance software integrates firewall, VPN, and intrusion detection and prevention capabilities in a single platform.
The ASA 5500 AIP SSM monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When the ASA 5500 AIP SSM detects unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the device manager.
There are three models of the ASA 5500 AIP SSM:
– Supports 150 Mbps of IPS throughput when installed in ASA 5510
– Supports 225 Mbps of IPS throughput when installed in ASA 5520
– Supports 375 Mbps of IPS throughput when installed in ASA 5520
– Supports 500 Mbps of IPS throughput when installed in ASA 5540
– Supports 450 Mbps of IPS throughput on the ASA 5520
– Supports 650 Mbps IPS throughput on ASA 5540
Figure 6-1 shows the AIP SSM-40.
Figure 6-1 AIP SSM-40
The ASA 5500 AIP SSM runs in either inline or promiscuous mode. The adaptive security appliance diverts packets to the ASA 5500 AIP SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to the ASA 5500 AIP SSM.
In promiscuous mode, the IPS receives packets over the GigabitEthernet interface, examines them for intrusive behavior, and generates alerts based on a positive result of the examination. In inline mode, there is the additional step of sending all packets, which did not result in an intrusion, back out the GigabitEthernet interface.
Figure 6-2 shows the adaptive security appliance with the ASA 5500 AIP SSM in a typical DMZ configuration. A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network. The web server is on the DMZ interface, and HTTP clients from both the inside and outside networks can access the web server securely.
Figure 6-2 DMZ Configuration
In Figure 6-2 an HTTP client (10.10.10.10) on the inside network initiates HTTP communications with the DMZ web server (30.30.30.30). HTTP access to the DMZ web server is provided for all clients on the Internet; all other communications are denied. The network is configured to use an IP pool (a range of IP addresses available to the DMZ interface) of addresses between 30.30.30.50 and 30.30.30.60.
For More Information
- For more information on setting up the adaptive security appliance, refer to the Getting Started Guides found at this URL:
http://www.cisco.com/en/US/products/ps6120/prod_installation_guides_list.html
Specifications
Table 6-1 lists the specifications for the ASA 5500 AIP SSM:
Table 6-1 ASA 5500 AIP SSM Specifications
|
|
Dimensions (H x W x D) |
1.70 x 6.80 x 11.00 inches |
Weight |
Minimum: 2.50 lb Maximum: 3.00 lb |
Operating temperature |
+32° to +104°F (+0° to +40°C) |
Nonoperating temperature |
–40° to +167°F (–40° to +75°C) |
Humidity |
10% to 90%, noncondensing |
Memory Specifications
Table 6-2 lists the memory specifications for the ASA 5500 AIP SSM.
Table 6-2 ASA 5500 AIP SSM Memory Specifications
|
|
|
ASA-SSM-AIP-10-K9 |
2.0 GHz Celeron |
1.0 GB |
ASA-SSM-AIP-20-K9 |
2.4 GHz Pentium 4 |
2.0 GB |
Hardware and Software Requirements
The ASA 5500 AIP SSM has the following hardware and software requirements:
- Cisco ASA 5500 series adaptive security appliance
– ASA 5510 (ASA-SSM-AIP-10-K9)
– ASA 5520 (ASA-SSM-AIP-10-K9 and ASA-SSM-AIP-20-K9)
– ASA 5540 (ASA-SSM-AIP-20-K9)
- Cisco Adaptive Security Appliance Software 7.0 or later
- Cisco Intrusion Prevention System Software 5.0(2) or later
- DES or 3DES-enabled
Indicators
Figure 6-3 shows the ASA 5500 AIP SSM indicators.
Figure 6-3 ASA 5500 AIP SSM Indicators
Table 6-3 describes the ASA 5500 AIP SSM indicators.
Table 6-3 ASA 5500 AIP SSM Indicators
|
|
|
|
|
|
PWR |
Green |
On |
The system has power. |
|
STATUS |
Green |
Flashing |
The system is booting. |
Solid |
The system has passed power-up diagnostics. |
|
LINK/ACT |
Green |
Solid |
There is Ethernet link. |
Flashing |
There is Ethernet activity. |
|
SPEED |
Green Amber |
100 MB |
There is network activity. |
1000 MB (GigabitEthernet) |
There is network activity. |
Installation and Removal Instructions
This section describes how to install and remove the ASA 5500 AIP SSM, and contains the following topics:
Installing the ASA 5500 AIP SSM
To install the ASA 5500 AIP SSM for the first time, follow these steps:
Step 1 Power off the adaptive security appliance.
Step 2 Locate the grounding strap from the accessory kit and fasten it to your wrist so that it contacts your bare skin. Attach the other end to the chassis.
Step 3 Remove the two screws at the left back end of the chassis, and remove the slot cover.
Note Store the slot cover in a safe place for future use. You must install slot covers on all empty slots. This prevents EMI, which can disrupt other equipment.
Step 4 Insert the ASA 5500 AIP SSM through the slot opening.
Step 5 Attach the screws to secure the ASA 5500 AIP SSM to the chassis.
Step 6 Power on the adaptive security appliance by pushing the power switch at the back of the chassis.
Step 7 Check the indicators. If the ASA 5500 AIP SSM is properly installed, the POWER indicator is solid green and the STATUS indicator is flashing green. You can also verify that the ASA 5500 AIP SSM is online using the show module 1 command.
Step 8 Initialize the ASA 5500 AIP SSM.
Step 9 Install the most recent Cisco IPS software.
Step 10 Configure the ASA 5500 AIP SSM to receive IPS traffic.
For More Information
Verifying the Status of the ASA 5500 AIP SSM
You can use the show module 1 command to verify that the ASA 5500 AIP SSM is up and running.
The following values are valid for the Status field:
-
Initializing
—The ASA 5500 AIP SSM is being detected and the control communication is being initialized by the system.
-
Up
—The ASA 5500 AIP SSM has completed initialization by the system.
-
Unresponsive
—The system encountered an error communicating with the ASA 5500 AIP SSM.
-
Reloading
—The ASA 5500 AIP SSM is reloading.
-
Shutting Down
—The ASA 5500 AIP SSM is shutting down.
-
Down
—The ASA 5500 AIP SSM is shut down.
-
Recover
—The ASA 5500 AIP SSM is attempting to download a recovery image.
To verify the status of the ASA 5500 AIP SSM, follow these steps:
Step 1
Log in to the adaptive security appliance.
Step 2 Verify the status of ASA 5500 AIP SSM. If the status reads Up
, the ASA 5500 AIP SSM has been properly installed.
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 P2B000005D0
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
1 000b.fcf8.0144 to 000b.fcf8.0144 0.2 1.0(9)0 5.0(0.27)S129.0
Removing the ASA 5500 AIP SSM
To remove the ASA 5500 AIP SSM from the adaptive security appliance, follow these steps:
Step 1
Shut down the ASA 5500 AIP SSM.
asa# hw-module module 1 shutdown
Shutdown module in slot 1? [confirm]
Step 2 Press Enter to confirm.
Step 3 Verify that the ASA 5500 AIP SSM is shut down by checking the indicators.
Step 4 Power off the adaptive security appliance.
Step 5 Locate the grounding strap from the accessory kit and fasten it to your wrist so that it contacts your bare skin. Attach the other end to the chassis.
Step 6 Remove the two screws at the left back end of the chassis.
Step 7 Remove the ASA 5500 AIP SSM and set it aside.
Note If you are not replacing the ASA 5500 AIP SSM immediately, install the blank slot cover. Slot covers must cover all empty slots. This prevents EMI from disrupting other equipment.
Step 8 If you need to replace the existing the ASA 5500 AIP SSM, insert the new ASA 5500 AIP SSM through the slot opening.
Note Do not replace the ASA 5500 AIP SSM with a different model. The the adaptive security appliance will not recognize it.
Step 9 Attach the screws to secure the ASA 5500 AIP SSM to the chassis.
Step 10 Power on the adaptive security appliance.
Step 11 Reset the ASA 5500 AIP SSM.
asa# hw-module module 1 reset
Reset module in slot 1? [confirm]
Step 12 Press Enter to confirm.
Step 13 Check the indicators to see if the ASA 5500 AIP SSM is properly installed. If the ASA 5500 AIP SSM is properly installed, the POWER indicator is solid green and the STATUS indicator is flashing green. Or you can verify installation using the show module 1 command.
For More Information