This section demonstrates how SecureMe's IPS administrator uses ASDM to configure basic settings on the AIP-SSM.
When SecureMe's IPS administrator first launches ASDM, he discovers that the system does not have a valid license. To correct this problem, the administrator chooses Cisco Connection Online to obtain the license directly from Cisco.com, as shown in Figure 20-4.
Figure 20-4. Licensing
ASDM sends the serial number to Cisco over an HTTP connection to obtain the license key. The license key is displayed after it is retrieved.
Optionally, the IPS administrator can also upload the license information from a file stored on his local workstation.
Verifying Network Settings
The IPS administrator is informed that a new router is installed in the management subnet. The AIP-SSM gateway information needs to be updated with the router's IP address (10.89.149.254). Figure 20-5 shows how to add the new IP address under the ASDM network settings.
Figure 20-5. AIP-SSM Network Settings
The administrator notices that Telnet access is enabled on the AIP-SSM. He proceeds and disables it, because SSH and ASDM access is only required by SecureMe's security policy. Under the network settings, you can modify any of the following options:
Adding Allowed Hosts
The IPS administrator wants to connect to the IPS from his home workstation when connecting using the Cisco VPN client. He connects to a cluster of Cisco ASA appliances in Chicago to gain access to the private networks. These appliances are configured to always assign his VPN client a static IP address (192.168.75.34). Consequently, he adds this IP address in the Allowed Hosts section on ASDM, as shown in Figure 20-6.
Figure 20-6. Allowed Hosts Section
After navigating to the Allowed Hosts option under the Sensor Setup section, the IPS administrator clicks Add and adds the 192.168.75.34 IP address with a 32-bit subnet mask (255.255.255.255).
It is recommended that you use an NTP server as the AIP-SSM time source. The IPS administrator in Los Angeles installed a new NTP server (10.89.149.207) on the management network. He configures the NTP server parameters by choosing Configuration > Features > IPS > Sensor Setup > Time, as shown in Figure 20-7.
Figure 20-7. NTP Configuration
The IPS administrator adds the IP address of the NTP server (10.89.149.207). He also enters the NTP MD5 key (cisco123) and key ID (1) for NTP authentication. The NTP server uses the associated key when transferring data to the AIP-SSM.
Four different types of users can be configured in the AIP-SSM:
The definition of each account type is discussed in Chapter 14.
In the following scenario, the IPS administrator needs to create the service account to be able to enter into the AIP-SSM service mode.
The service user cannot log in to ASDM. This user is only used to log in to the AIP-SSM service mode (bash shell) for administrative purposes. The service account should only be used for troubleshooting purposes with the assistance of the Cisco Technical Assistance Center (TAC).
The service account is added as illustrated in Figure 20-8.
Figure 20-8. Adding Users
The security administrator navigates to Configuration > Features > IPS > Sensor Setup > Users and clicks the Add button. He enters service as the username and selects Service from the User Role drop-down menu. The corresponding password is also entered and confirmed, as shown in Figure 20-8.
Part I: Product Overview
Introduction to Network Security
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
Authentication, Authorization, and Accounting (AAA)
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM