Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1075
Views
0
Helpful
3
Replies

AIM IPS deployment; my module can't see the rtr

walter baziuk
Level 5
Level 5

‎09-22-2011 05:10 AM - edited ‎03-10-2019 05:29 AM

Hello

I am trying to deploy an AIM-IPS inside a 2811 rtr. The module is seen by the rtr and I can log into the AIM-IPS module.

I have followed Cisco recommendation by NOT giving the inside interface an addfress and have used ip unnumbered.

  • I can log into the AIM-IPS, see the config and make changes.
  • I can't get new signatures in , since I don't have a license file
  • I can't get the license file installed as the AIM-ip can "see out"
  • I can't even ping the RTR from  the AIM-IPS
  • I can't ping the AIM-IPS from the RTR

The AIM-IPS is bound to the same subnet and interface that the internal address

Anyone have any suggestions?

Any tips for a successful deployment?

Below are the config details from the rtr and AIM-IPS

cheers

walter

--------------------

IOS 124-24.T1

** Partial rtr config

#sh inv

NAME: "Cisco Intrusion Prevention System AIM in AIM slot: 0", DESCR: "Cisco Intr

usion Prevention System AIM"

PID: AIM-IPS-K9        , VID: V03 , SN: xxx

interface IDS-Sensor0/0

ip unnumbered GigabitEthernet0/3/0.1

ip nbar protocol-discovery

service-module fail-open

hold-queue 60 out

interface GigabitEthernet0/3/0.1

description Data Vlan $FW_INSIDE$

encapsulation dot1Q 1 native

ip address 192.168.200.1 255.255.255.128

ip access-group 100 in

ip access-group sdm_fastethernet0/0.1_out out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip route 182.168.200.99 255.255.255.255 IDS-Sensor0/0

** AIM IPS config

sh config

! ------------------------------

! Current configuration last modified Tue Aug 30 19:58:58 2011

! ------------------------------

! Version 7.0(2)

! Host:                                        

!     Realm Keys          key1.0               

! Signature Definition:                        

!     Signature Update    S425.0   2009-08-17  

!     Virus Update        V1.4     2007-03-02  

! ------------------------------

service interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 192.168.200.99/25,192.168.200.1

host-name aim-ips

telnet-option disabled

dns-primary-server disabled

dns-secondary-server disabled

dns-tertiary-server disabled

exit

time-zone-settings

offset 0

standard-time-zone-name UTC

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service analysis-engine

exit

aim-ips#  

aim-ips# ping 192.168.200.1

PING 192.168.200.1 (192.168.200.1): 56 data bytes

--- 192.168.200.1 ping statistics ---

4 packets transmitted, 0 packets received, 100% packet loss

Labels:
0 Helpful
3 Replies 3

marcabal
Cisco Employee
Cisco Employee

‎09-22-2011 11:34 AM

You have access-lists applied to your GigabitEthernet0/3/0.1.

Do you have traffic to/from the sensor's 192.168.200.99 address permited in these access lists?

0 Helpful

walter baziuk
Level 5
Level 5
In response to marcabal

‎09-22-2011 07:52 PM

hello:

i had nothing in the access lists that would deny traffic to/from the same subnet

I have since added a specific rule for the AIM-IPS evice , still no differance (;

I added thi sto the interface to ensure inter Vlan traffic on the one ar,m router would work

no ip split-horizon

this did not have any affect w.r.t. to AIM-IPS

I need to be able to upload the license file so that i can first update the signature

any other suggestions

0 Helpful

walter baziuk
Level 5
Level 5
In response to walter baziuk

‎09-26-2011 08:42 PM

update:

I was NEVER able to get this to work on a "one arm router"  regardless of which vlans I used.

I sent a note to my Cisco SE as to why inter-vlan routing does not work on 2800 & 3800 series ISR router with traffic  between vlans that share the same physical link. Anyone ever get this to work?

I had a spare unused L3 physical i/f on the isr router, so i tried this long shot.

  • I created a new subnet  /30,
  • plugged a cable into the I/F( just to get it to go up/up),
  • changed the AIM-IPS ip address to the new I/F
  • added a static route to the the new address for the AIM-IPS and pointed to the new i/f

VOILA, the aim is is now working

service modules summary

  • do not support inter-vlan routing between vlans that share the same physical link.
  • work when placed on a seperate physical i/f

anyone else gets this to work without using a seperate i/f?

if so, how and which platform?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card