IPS not functionning

Discussion in 'Cisco' started by Kronos, Sep 1, 2005.

  1. Kronos

    Kronos Guest

    Hello all,

    I have a Cisco 871 router, which I installed the SDM on. When I try to
    configure the IPS, it tells me the module is not there.

    So, I loaded the ips.tar file to the router from the SDM cd, and the
    128MB.sdf file for the signatures. When I use the SDM now, though, it
    still tells me that the IPS is not loaded.

    I rebooted the router, but nothing. Do I need to load ips.tar in
    memory for it work? If so, how? I've looked up every command I could
    find but no cigar...

    Thanks!
    Kronos, Sep 1, 2005
    #1
    1. Advertising

  2. Kronos

    RobO Guest

    Hi,

    I am not familiar with enabling IPS within SDM but could guide you
    though it via console/telnet/ssh.

    Generally via the command line one would create an IPS statement with a
    name, then configure the SDF file location and then apply that rule to
    an interface, more than likely inbound on the internet facing
    interface.

    Something like this:

    config t
    ip ips name IPS_CHECK
    ip ips sdf location flash:128MB.sdf
    ip ips notify log (for syslog)
    int x
    ip ips IPS_CHECK in

    This is the minimum to get started.

    Bear in mind the 128MB.sdf file is for routers with a minimum of 128MB
    RAM, which I'm sure you know about.

    You might not find any signature matches right away in the logs but
    something should come up...eventually.
    That is if there is not some bug within the IOS.
    If you are able to post a running configuration please do so if it
    still doesn't work.

    Hope this helps,

    Rob
    RobO, Sep 1, 2005
    #2
    1. Advertising

  3. Kronos

    Kronos Guest

    Hi Rob,

    thanks for your help, but I'm still having a problem. When running "ip
    ips name IPS_CHECK", I get the error "% Invalid input detected at '^'
    marker." And the marker is under the "ips" word.

    Here's my running config. Of course, I've removed a few values, but
    it's the whole of it :)
    I'm messing with my first Cisco here, so I know it's not totally
    configured yet...

    ============================================================

    Current configuration : 5241 bytes
    !
    ! Last configuration change at 16:50:47 PCTime Fri Sep 2 2005 by admin
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname cisco1
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 ************************
    !
    username admin privilege 15 secret 5 ************************
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization exec default local
    aaa session-id common
    ip subnet-zero
    no ip source-route
    ip cef
    !
    !
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name test.local
    ip name-server 10.0.253.2
    ip name-server 64.254.144.134
    ip ssh time-out 60
    ip ssh authentication-retries 2
    vpdn-group 1
    accept-dialin
    protocol pptp
    virtual-template 2
    terminate-from hostname cisco1
    !
    no ftp-server write-enable
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0
    no ip address
    no cdp enable
    !
    interface FastEthernet1
    no ip address
    no cdp enable
    !
    interface FastEthernet2
    no ip address
    no cdp enable
    !
    interface FastEthernet3
    no ip address
    no cdp enable
    !
    interface FastEthernet4
    description $ES_WAN$$FW_OUTSIDE$
    ip address (EXTERNAL_IP_HERE) 255.255.255.0
    ip access-group 101 in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect DEFAULT100 out
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
    ip address 10.0.253.12 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 (GATEWAY_HERE)
    !
    ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source list 1 interface FastEthernet4 overload
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 10.0.253.0 0.0.0.255
    access-list 2 remark HTTP Access-class list
    access-list 2 remark SDM_ACL Category=1
    access-list 2 permit 10.0.253.0 0.0.0.255
    access-list 2 deny any
    access-list 100 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip (EXTERNAL_SUBNET_HERE) 0.0.0.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 100 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 101 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 deny ip 10.0.253.0 0.0.0.255 any
    access-list 101 permit icmp any host (WAN_IP_HERE) echo-reply
    access-list 101 permit icmp any host (WAN_IP_HERE) time-exceeded
    access-list 101 permit icmp any host (WAN_IP_HERE) unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    access-list 101 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 102 remark VTY Access-class list
    access-list 102 remark SDM_ACL Category=1
    access-list 102 permit ip 10.0.253.0 0.0.0.255 any
    access-list 102 deny ip any any
    access-list 102 remark VTY Access-class list
    access-list 102 remark SDM_ACL Category=1
    snmp-server community public RO
    snmp-server community private RW
    snmp-server location cisco1
    snmp-server contact
    snmp-server host (SNMP_SERVER_HERE)
    no cdp run
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    no modem enable
    transport preferred all
    transport output telnet
    line aux 0
    transport preferred all
    transport output telnet
    line vty 0 4
    access-class 102 in
    exec-timeout 60 0
    transport preferred all
    transport input telnet ssh
    transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end

    ============================================================

    Thanks for the help!
    Kronos, Sep 2, 2005
    #3
  4. Kronos

    RobO Guest

    Kronos wrote:
    > When running "ip ips name IPS_CHECK", I get the error "% Invalid input detected at '^'
    > marker." And the marker is under the "ips" word.


    Just to confirm, did you try the command in global configuration mode? ie:

    router#
    router#config t
    router(config)#ip ips name IPS_CHECK

    If it still doesn't give you the option then probably the IOS version
    you have does not support it!

    What is your IOS version?
    router#show version
    Post the output of that.

    Rob.
    RobO, Sep 3, 2005
    #4
  5. Kronos

    Kronos Guest

    No, even with config t it doesn't work. Which is weird since I was
    told it supports IPS...

    cisco1#show version
    Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version
    12.3(8)YI1, RELEASE SOFTWARE (fc1)
    Synched to technology version 12.3(10.3)T2
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2005 by Cisco Systems, Inc.
    Compiled Fri 22-Apr-05 14:57 by ealyon

    ROM: System Bootstrap, Version 12.3(8r)YI, RELEASE SOFTWARE
    ROM: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version
    12.3(8)YI1, RELEASE SOFTWARE (fc1)

    cisco1 uptime is 4 days, 18 hours, 3 minutes
    System returned to ROM by reload
    System restarted at 13:44:34 PCTime Thu Sep 1 2005
    System image file is "flash:c870-advsecurityk9-mz.123-8.YI1.bin"
    Last reload reason: Reload command



    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be
    found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

    If you require further assistance please contact us by sending email to
    .

    Cisco 871 (MPC8272) processor (revision 0x100) with 118784K/12288K
    bytes of memory.
    Processor board ID FHK093213P8
    MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
    5 FastEthernet interfaces
    128K bytes of non-volatile configuration memory.
    24576K bytes of processor board System flash (Intel Strataflash)

    Configuration register is 0x2102
    Kronos, Sep 6, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. scorpius

    Thunderbird revealing internal IPs

    scorpius, Nov 14, 2004, in forum: Firefox
    Replies:
    30
    Views:
    1,434
  2. Gilbert T. Gutierrez, Jr.
    Replies:
    0
    Views:
    564
    Gilbert T. Gutierrez, Jr.
    Oct 21, 2003
  3. DC Gringo
    Replies:
    3
    Views:
    555
    Walter Roberson
    Nov 13, 2003
  4. Replies:
    6
    Views:
    1,851
  5. Martijn Lievaart

    HSRP: virtual IPs without real IPs?

    Martijn Lievaart, Feb 9, 2012, in forum: Cisco
    Replies:
    4
    Views:
    1,126
    Martijn Lievaart
    Feb 15, 2012
Loading...

Share This Page