ASK THE EXPERT - TROUBLESHOOTING INTRUSION PREVENTION SYSTEMS

Unanswered Question
Mar 9th, 2007

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on troubleshooting intrusion prevention systems with Cisco expert Nadeem Khawaja. Nadeem supports various security offerings by Cisco Systems, Inc. including Cisco Secure PIX / ASA Firewall, Cisco IOS Firewall, Cisco Secure Access Control Server UNIX & Windows NT, Cisco Secure Intrusion Prevention Systems and Cisco Secure VPN at the High Touch Technical Support (HTTS). He is a double CCIE (# 9069) in routing & switching and in security and holds a CISSP.

Remember to use the rating system to let Nadeem know if you have received an adequate response.

Nadeem might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 23, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
lomonaco Fri, 03/09/2007 - 14:53

Hi Nadeem Khawaja,

I have the following scenario:

CLIENT ---> SSLSM ---> IDSM-2 --->FWSM --> SERVER

Between the client and the module SSLSM I?m using HTTPS (SSL). The SSLSM mode catch the client request and send to the SERVER using HTTP. The ISDM-2 is using VLAN InLine Pair.

My question is:

In this scenario, the ISDM-2 always will think that the client is the SSLSM mode. If

some attack happened, the ISDM-2 will block

my SSLSM, not the original client.

What can I do to avoid that ?

If you need, I can send to you the topology.

The ISDM-2?s version is 6.0(1)E1

Thank in Advanced

Andre Lomonaco

sebastan_bach Sat, 03/10/2007 - 06:52

hi nadeem glad to have u back in the forum after a long time.

i am having a 4215 ips with 5.0 code. now i want to update it to 5.1 code. could u pls help me with the upgrade procedure.

it will be of great help to me.

waiting for ur reply

regards

sebastan

nkhawaja Tue, 03/13/2007 - 10:36

HI Sebastan,

Thanks, What is hte problem you are having upgrading from 5.0 to 5.1. If you can be specific may be we can figure it out.

Here is the upgrade procedures

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_installation_guide_book09186a008055dbea.html

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_installation_guide_chapter09186a008055fc6f.html

thanks

Nadeem

nkhawaja Tue, 03/13/2007 - 10:27

Hi Andre,

All SSLM does is to decrypt/encrypt the packets, it shouldnt be changing the source/destination IP addresses. If it is and sourcing the packets from its own IP address, we have a problem. But i dont think SSLM is changing the source/destionation IP Addresses.

Please let me know if that helps

thanks

Nadeem

followurself Mon, 03/12/2007 - 09:58

Hi,

I have asa 5520 with ips module. we have both production and testing web servers. so have created 2 security context on asa firewall. when configuring IPS 6.0 have some clarifications.

1) anamoly detection

i have used internal ip address range for our web servers under internal zone.

wht is tcp/udp/other protocol, how can i use these features .

2) blocking

what makes IPS to send shun commands. how will it decide that the packets need to be blocked. because the action i use under event filters is to produce alert. also in our case where we use ASA /ips wht kind of configuration shd exist in blocking properties

nkhawaja Tue, 03/13/2007 - 11:11

Hi,

1) Part of AD configuration is to define / enable the internal zone, IP address range and TCP/UDP or Other Protocols.

2) Shunning = Blocking. The event action for particular signatures must have Request Block Host or Request Block Connection configured/enabled for blocking to be triggered.

If the eaction is to produce alert, it will only alert and not block. In blocking properties you should have teh device IP address and password information.

Further configuration details can be found here.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/cliguide/cliblock.htm#wp1058089

Let me know if you need any further assistance.

thanks

Nadeem

jahilnt10 Tue, 03/13/2007 - 11:33

Well, we are using IDS 4235 off line with mirrored ports and executing acl on external router..

I want to build a custom signature which will reset the tcp syn sessions if more than 10 or 12 from a single IP...

can someone comment how it's gonna be with Cisco IDS 4235

Anonymous (not verified) Wed, 03/14/2007 - 21:34

s.demosthenous Thu, 03/15/2007 - 06:07

Hello,

I have an IDS 4250 that is managing a PIX 535.

The communication between them is SSH.The 2 devices are communicating OK.

The thing is that now i want to manage the PIX 535 through ACS server.

I have made all the neccesary configuration on the IDS 4250(create an ACS user account on it),on PIX 535(AAA config) and on the ACS(add PIX535 and IDS 4250 as network devices).

After some troubleshooting it can be seen that

when the IDS 4250 is trying to communicating with the PIX the authentication is passed but authorization for some reason fails.

The state on the IDS 4250 indicates INACTIVE.

Any help?

nkhawaja Thu, 03/15/2007 - 10:54

Hi,

you need to get failed reports from ACS. Can you look into that.

Thanks

Nadeem

s.demosthenous Thu, 03/15/2007 - 23:49

Hello,

I can not see any failed attempt on the ACS.Instead i can see a passed authentication.

That means that when the IDS is trying to access the PIX it sends the credendials to the ACS and it is authenticated.It seems that when the IDS sends the enable command to the PIX this one fails.

Can this setup worked or i am hopelessly trying?

vicente.madrigal Thu, 03/15/2007 - 14:50

Hi Nadeem,

I am having problems with Cisco IOS Firewall IPS feature because the IPS start dropping legitiamte sessions with the following message:

*Mar 12 11:34:27.638: IP: s=192.168.15.196 (FastEthernet0/0), d=192.168.1.140 (FastEthernet0/1), len 40, dropped by inspect

Why is the inspect dropping the packets even if don?t have the inspect option enabled?

Also I want to know if the IPS functionality will work with HSRP and load balancing bewteen the 2 HSRP routers

Regards.

nkhawaja Sat, 03/17/2007 - 10:26

Hi

I would like to see your configuration, if you can share, just hide the IP addresses and send it over.

Most of the time, the dropped packets are due to out of order receive.

Yes IPS should work with HSRP.

thanks

Nadeem

vicente.madrigal Mon, 03/19/2007 - 16:22

Hi Nadeen,

Here is the config (I changed the IPs and remove some irrelevant parts of the config)

ip subnet-zero

ip cef

!

!

ip inspect name imss http

ip inspect name imss tcp

ip inspect name imss udp

ip ips name imss1 list 100

!

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key ***** address *****

crypto isakmp key ***** address *****

!

!

crypto ipsec transform-set IMMSS ***** *****

!

crypto map IMSS1 100 ipsec-isakmp

set peer *****

set transform-set IMMSS

match address 150

!

!

crypto map IMSS2 100 ipsec-isakmp

set peer *****

set transform-set IMMSS

match address 150

!

controller E1 0/2/0

framing NO-CRC4

channel-group 0 timeslots 1-31

!

!

interface FastEthernet0/0

ip address 12.254.12.252 255.255.255.0

ip access-group 100 in

ip inspect imss in

ip ips imss1 in

no ip redirects

ip load-sharing per-packet

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

standby 1 ip 12.254.12.254

standby 1 priority 110

standby 1 preempt

standby 1 track Serial0/2/0:0.1

standby 1 track Serial0/2/0:0.2

!

interface FastEthernet0/1

ip address 192.168.5.10 255.255.255.252

ip load-sharing per-packet

ip nat outside

ip virtual-reassembly

ip ospf cost 10

duplex auto

speed auto

!

interface Serial0/2/0:0

bandwidth 1984

no ip address

encapsulation frame-relay

no fair-queue

frame-relay lmi-type ansi

!

interface Serial0/2/0:0.1 multipoint

description IMSS - Diveo 1/0:0.3

ip address ***** 255.255.255.252

ip load-sharing per-packet

ip nat outside

ip virtual-reassembly

ip ospf cost 70

ip ospf dead-interval 35

no arp frame-relay

frame-relay map ip ***** 21 broadcast

crypto map IMSS1

!

interface Serial0/2/0:0.2 multipoint

description IMSS - Diveo RDI 1/1:0.25

ip address ***** 255.255.255.252

ip load-sharing per-packet

ip nat outside

ip virtual-reassembly

ip ospf cost 75

ip ospf dead-interval 35

no arp frame-relay

frame-relay map ip ***** 109 broadcast

crypto map IMSS2

!

interface Serial0/2/0:0.3 multipoint

description IMSS - Diveo Imagenes 1/0:0.30

ip address ***** 255.255.255.252

ip nat outside

ip virtual-reassembly

ip ospf cost 80

ip ospf dead-interval 35

no arp frame-relay

frame-relay map ip ***** 16 broadcast

!

!

access-list 100 permit icmp any any log

access-list 100 permit udp any any log

access-list 100 permit ip any any log

access-list 150 permit ip any any

regards

nkhawaja Tue, 03/20/2007 - 10:22

HI,

You do have IPS and inspect enabled. See below from your config

interface FastEthernet0/0

ip address x.254.12.252 255.255.255.0

ip access-group 100 in

ip inspect imss in

ip ips imss1 in

I believe what is happening is that the packets are coming out of order and getting dropped.

vicente.madrigal Wed, 03/21/2007 - 10:45

Hi Nadeen, you are rigth maybe this is the issue, I will do some test and let you know. Is there any way to avoid dropping packets out of order?

I am also testing an environment with HSRP and load balancing where some of the traffic returs on the standby router (asymetric routing), as far as I know this scenario is not supported, is this correct?

tazi44444 Fri, 03/16/2007 - 14:39

Hi,

I'm starting a business in web hosting and ASP(email services and HR services).

I need help about the right architecture for my network. I don't want to buy bandwidth from ISP but I prefer to setup my network.. I will have about 10 servers(2 for DNS, 2 for mail, 1 for LDAP, 1 linux web hosting, 1 IIS server, 1 server for applications) and a SAN storage solution.

I need to setup my network : which router and firewall is the right for my architecture, which switch I need to buy, what is the best architecture for this : rouer, firewall, switch,10 servers.

thanks .

nkhawaja Sat, 03/17/2007 - 10:37

HI,

This is not an appropriate forum to give design advise but a mid range router and firewall should be good enough to accomodate this traffic.

thanks

Nadeem

coolpopsun Sun, 03/18/2007 - 23:14

Hi Sir,

Thanx a lot for your support. I am explaning a problem again as I am new

users in cisco, CCNA certified .

I have three switches two 2950 and one 3550 .

3550 is connected to 2950(1st) as a trunk port at both side and another

2950 (2nd) is also connected to 29501st as a trunk.

3550 is in vtp server domain and having 4 vlan---vlan 2 , vlan 3 , vlan

4 and vlan 5.

Now I want in 2950(1st Switch) that 4 pc in vlan 2 and 4 pc in vlan 3.

And in 2950(2nd Switch) 4 pc in vlan 4 and 4 pc in vlan 5 .

When I did all the configuration I found ,not able to ping management IP

also found problem in intervlan routing in switches.

Not able to ping intervlan .What to do I am so confuse that how to do

intervlan routing in switches.

So please provide me solution : As please use any of the Ip address in

switch as u want and please provide me the fully configuration in both

cisco 3550 server and 2950 client configuration with step by step command

as I am trying this last 3 days but not getting any succsess .

Please do the needful . Please provide complete solution with Ip address

as you want to use . step by step configuration in swtiches _______

I will wait for your kind response.

Regards,

coolpopsun

nkhawaja Mon, 03/19/2007 - 12:56

Hi,

Is there any particular reason for upgarde? If no issue and you are not running into any bug, then dont upgrade.

thanks

Nadeem

Fernando_Meza Mon, 03/19/2007 - 16:14

Hi Nadeem,

I have a question .. using 2 6513 chassis with one IDSM2 on each one. Is there a possibility to load balance the inpected traffic and at the same time provide redundancy in case one chassis goes down ..? and if so .. would you mind referring me to some useful links I could review .. Thanks in advance.

nkhawaja Tue, 03/20/2007 - 10:18

Hi,

What version are you using? is your IDSM in inline mode?

By load balancing do you mean some VLANs be inspected by one idsm and some by other?

thanks

Nadeem

Fernando_Meza Tue, 03/20/2007 - 21:52

hi Nadeem,

Version 5.1 at the moment. Ideally I would like to load balance traffic inspected either by using VLANS or RSPAN but at the same time I would like to be able to provide redundancy ..i.e if the first chassis goes down I would like to still providing the same traffic inspection with one IDSM .. I am not sure whether this is a viable solution and so I have not thought about IPS vs IDS mode yet .. appreciate your comments

Fernando_Meza Thu, 03/22/2007 - 16:33

Thanks Nadeem,

unfortunately I can't access that document .. the error that I am getting when typing in http://cco/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a0080459221.html#wp1054534

is ..

"You don't have permission to access /en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a0080459221.html on this server."

Would you be able to post it as pdf .. ?

Thanks

Actions

This Discussion