Configuring Basic AIP-SSM Settings
This section demonstrates how SecureMe's IPS administrator uses ASDM to configure basic settings on the AIP-SSM.
Licensing
When SecureMe's IPS administrator first launches ASDM, he discovers that the system does not have a valid license. To correct this problem, the administrator chooses Cisco Connection Online to obtain the license directly from Cisco.com, as shown in Figure 20-4.
Figure 20-4. Licensing
ASDM sends the serial number to Cisco over an HTTP connection to obtain the license key. The license key is displayed after it is retrieved.
Optionally, the IPS administrator can also upload the license information from a file stored on his local workstation.
Verifying Network Settings
The IPS administrator is informed that a new router is installed in the management subnet. The AIP-SSM gateway information needs to be updated with the router's IP address (10.89.149.254). Figure 20-5 shows how to add the new IP address under the ASDM network settings.
Figure 20-5. AIP-SSM Network Settings
The administrator notices that Telnet access is enabled on the AIP-SSM. He proceeds and disables it, because SSH and ASDM access is only required by SecureMe's security policy. Under the network settings, you can modify any of the following options:
- Host name of the AIP-SSM.
- IP address of the management interface on the AIP-SSM (the default IP address is 10.1.9.201).
- Network mask.
- Default gateway address (the default is 10.1.9.1).
- The FTP timeout when an FTP client communicates with the AIP-SSM (default is 300 seconds).
- The AIP-SSM web server security level and port. It is strongly recommended that you enable TLS/SSL.
- Whether Telnet access is enabled or disabled. It is not enabled by default, because it is not a secure method.
Adding Allowed Hosts
The IPS administrator wants to connect to the IPS from his home workstation when connecting using the Cisco VPN client. He connects to a cluster of Cisco ASA appliances in Chicago to gain access to the private networks. These appliances are configured to always assign his VPN client a static IP address (192.168.75.34). Consequently, he adds this IP address in the Allowed Hosts section on ASDM, as shown in Figure 20-6.
Figure 20-6. Allowed Hosts Section
After navigating to the Allowed Hosts option under the Sensor Setup section, the IPS administrator clicks Add and adds the 192.168.75.34 IP address with a 32-bit subnet mask (255.255.255.255).
Configuring NTP
It is recommended that you use an NTP server as the AIP-SSM time source. The IPS administrator in Los Angeles installed a new NTP server (10.89.149.207) on the management network. He configures the NTP server parameters by choosing Configuration > Features > IPS > Sensor Setup > Time, as shown in Figure 20-7.
Figure 20-7. NTP Configuration
The IPS administrator adds the IP address of the NTP server (10.89.149.207). He also enters the NTP MD5 key (cisco123) and key ID (1) for NTP authentication. The NTP server uses the associated key when transferring data to the AIP-SSM.
Adding Users
Four different types of users can be configured in the AIP-SSM:
- Viewers
- Operators
- Administrators
- Service
Note
The definition of each account type is discussed in Chapter 14.
In the following scenario, the IPS administrator needs to create the service account to be able to enter into the AIP-SSM service mode.
Note
The service user cannot log in to ASDM. This user is only used to log in to the AIP-SSM service mode (bash shell) for administrative purposes. The service account should only be used for troubleshooting purposes with the assistance of the Cisco Technical Assistance Center (TAC).
The service account is added as illustrated in Figure 20-8.
Figure 20-8. Adding Users
The security administrator navigates to Configuration > Features > IPS > Sensor Setup > Users and clicks the Add button. He enters service as the username and selects Service from the User Role drop-down menu. The corresponding password is also entered and confirmed, as shown in Figure 20-8.