I've got a strange problem here - I activated IOS IPS on both internal and external interfaces in incoming direction and also had to run CBAC on the incoming direction of the external interface. The result of all these things is that the IPS is counting connections from the internal network and it's overwriting for some reason the statistics generated by CBAC, no matter that CBAC is enabled only on the external interface in incoming direction. I'm using 1812 router with 12.4(2)XA IOS. Searched for bugs in the Bug Toolkit, nothing showed up. Here are the outputs:
Any idea about that? I'm pretty sure it's a bug but still can't prove it. As you can see I'm monitoring only http traffic entering the internal network with CBAC (they have a single web server which for sure cannot handle that much connections). I'll be glad if you can help but anyway if we can't find the truth behind this I'll simply disable the IPS on the internal interface and I think I'll get statistics pretty closer to the reality (I need them to tune CBAC TCP Intercept values). Besides that it's pretty nasty that you can't see separate statistics for each interface but anyway - I can live with that if I manage to get accurate statistics with limited security in that case. Thanks in advance!
Latest update: I found a bug for IPS 5.0 which I think is related to my problem, but I'm using IPS v4 signatures cause I need something like 12.4(15)T for IPS 5.0 signatures so I'm not sure that's my case.
Headline IPS5.0 : Signature statistics not displayed correctly
Feature OTHERS Components Duplicate of
Severity 3 Severity help Status Resolved Status help
First Found-in Version 12.4(10.8)T01 All affected versions First Fixed-in Version 12.4(12.15)T Version help
This is a CLI display bug
idConf/IPS 5.0 is configured on the IOS router
Further Problem Description:
First thing that disturbs me - it's for 5.0, second thing - sounds like IPS statistics are not correct and in my case we are talking about CBAC statistics. Any idea?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...