1. Assign interface to a sensor in AIP-SSM
On the AIP-SSM you can configure interfaces for virtual sensors:
| SA1-AIP-SSM(config-ana-vir)# physical-interface ? GigabitEthernet0/0 GigabitEthernet0/0 physical interface. GigabitEthernet0/1 GigabitEthernet0/1 physical interface. |
This is only 2 no matter how many interface the ASA has.
– GigabitEthernet0/0 can only be Command and Control Interface / Management /.
– Alternate TCP Reset Interface is not on AIP-SSM.
– GigabitEthernet0/1 can be the sensing interface.
That means in AIP-SSM you cannot link ASA interfaces to a sensor in sensor config mode (differently as in 42xx series appliances). You can link traffic with ACLs used in policy-map config in ASA config mode.
ASA config example:
| ciscoasa(config)#access-list traffic_for_ips permit ip any any
ciscoasa(config)#class-map ips_class_map ciscoasa(config)#policy-map global_policy ciscoasa(config)#service-policy interface_policy global |
For AIP-SSM the GE0/1 is required for all sensor to accept traffic from ASA.
AIP-SSM example:
| ciscoasa(config)# session 1
Opening command session with slot 1. Hi! This is the smartest AIP-SSM what you have ever seen!!! login: cisco Last login: Fri Aug 17 15:56:10 on pts/0 |
There is a hidden interface, sys0/0 is the one where you session trough and where the heartbeat is located (if it fails, the ASA will detect and fail-close|open and might failover as well).
Send Network Traffic from the ASA to the AIP SSM Configuration Example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
itsecworks 
Posted on November 18, 2010
0