Re: IOS IPS ACL failure

haithamnofal · ‎04-14-2008

Hi,

I am enabling IOS IPS on my router's fa0/1 interface and I am filtering out some IP addresses from this IPS as per the below config, however the IPS is still firing signatures when receiving mal traffic these IPs!!

Any ideas why?!!

Here is the IPS config:

ip ips sdf location flash:/128MB.sdf

ip ips signature 2004 0 disable

ip ips name MyIPS list 1

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address 10.2.2.254 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.1.1.254 255.255.255.0

ip ips MyIPS in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

logging trap debugging

logging 10.1.1.111

access-list 1 deny 10.1.1.111

access-list 1 deny 192.1.24.10

access-list 1 permit any

And here is the alarm which I see:

04-15-2008 01:12:56 Local7.Warning 10.1.1.254 130: *Apr 14 22:12:29.255: %IP_VFR-4-TOO_MANY_FRAGMENTS: FastEthernet0/1: Too many fragments per datagram (more than 32) - sent by 10.1.1.111, destined to 10.1.1.254

What made me more surprised is that I disabled the IPS on fa0/1 using the command "no ip ips MyIPS in" but the router kept giving me alarms!!

Any thoughts!!

R/ Haitham

didyap · ‎04-18-2008

To create an access control list (ACL) filter for the deny actions on the intrusion prevention system (IPS) interface

rather than ingress interface, use the

ip ips deny-action ips-interface command in global configuration mode.

To return to the default, use the no form of this command.

ip ips deny-action ips-interface

Flow the URL for the further command for the IPS :

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_i1gt.html#wp1195427