AIM-IPS-K9 Laboratories

Unanswered Question

Hi



I am doing a practice laboratories



I have a madule AIM-IPS-K9 in a router 2811 and I have configurated the interfaces how say the link:



http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_aim.html#wp1044942



I want to know if I can manager the IPS througth GUI,if its possible, then how i can into the module`s GUI, because I cant ping to the module (into the module I can ping everythings ),


I can into the SDM in the router, but I thinks that the option IPS in the SDM is to manager IOS IPS and not the module, is that true?



I thinks that cant ping the module`s ip address because works like firewall, then how can I go into the module?.



Thanks a lot





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Tue, 03/03/2009 - 08:45
User Badges:
  • Cisco Employee,

2 main things:


1) You have not configured an access-list no your AIM-IPS. With the default configuration the AIM-IPS will not allow any remote connections.

You will need to session to the AIM-IPS and run the "setup" command. One of the option in "setup" is to modify the access-list. You will need to add in the IP address (or entire network) for the box where you want to run IDM.


2) Your route statement in the router config is using the wrong address.

"ip route 3.3.3.1 255.255.255.255 IDS-Sensor0/1"

should be:

"ip route 3.3.3.2 255.255.255.255 IDS-Sensor0/1"

Notice the difference in 3.3.3.1 and 3.3.3.2 between the 2 commands.


Once you've made these changes, then try your ping test again. If the ping works, then next try an ssh connection to the sensor.

If both of these are working, then try browsing to the sensor "https://3.3.3.2" and you shoudl be able to start up IDM for managing the sensor.


NOTE: Once you get IDM running, then you might consider downloading and installing IME. IME has the same configuration capability of IDM, but also has monitoring capability that IDM does not have.


From a monitoring perspective there are some additional things you need to know.


1) When you run "setup" you will be given the option for modifying the virtual sensors. You want to choose "yes", and you will want to add the GigabitEthernet0/1 interfaces to virtual sensor vs0 for monitoring.

Without this setting the packets might get to the AIM-IPS but the AIM-IPS will not do any analysis on them.


2) To best test the AIM-IPS's monitoring capability you really need packets to flow Through the router.

So I would recommend enabling the FastEthernet0/1 interface of your router and giving it an address on a new network (4.4.4.0 maybe for the network and 4.4.4.1 as the router's address).

Then connect a new machine to this router's interface and give it an IP on that new network (4.4.4.3 maybe).

You will need to be sure that routes for this new network are properly configured for the machines in your 2.2.2.0 network.


Now send traffic between a machine on the 2.2.2.0 network and the new machines on the 4.4.4.0 network. That traffic will be routed through the router, and if matched by the access-list 101 it should be sent to the AIM-IPS for inline monitoring.


You can run "packet display GigabitEthernet0/1" on the AIM-IPS to see what traffic is being sent to the AIM-IPS by the router for monitoring.


Now that you have traffic going through the router and being monitored by the AIM-IPS you can proceed with trying to generate attack traffic that the AIM-IPS should alert on and possibly deny.

Actions

This Discussion