CISCO 2851 with IPS configuration

Hi guys,i'm planning to do an IOS IPS configuration on a newly purchased 2851 router, the spec as below:
CISCO2851-HSEC/K9
CISCO 2800 AdvanceIPservice :Version 12.4(15)T10
64MB CF default
512DDR DRAM
My problem right now is,when i tried to configure the IPS feature,the SDM Express ver2.5 doesn't have the IPS tabs that allow me to configure. I noticed and highly suspected that is due to the express version of SDM,instead of the full/enhanced version of SDM. I tried download the full version SDM from Cisco,the file size is 14MB, and my current CF free space is only remaining 7MB.The IOS itself has used up 51MB. So i'm going to advice my customer that running IPS on the router is not possible due to the limited CF size. Can someone who experience in IPS correct me if i'm wrong. I'm fresh in security area.
PS:i know workaround is to installed CSM on a workstation then to configure and manage this router.
Thanks

Hi Collin,
Thank for your adviced.I did read thru the configuration that you posted. One line which i'm not clear about is that:
"copy flash:/IOS-S302-CLI.pkg idconf"
Where is this idconf?Is a flash folder or somewhere?why do we need to copy the signature file to this idconf? Or,my guess,is this idconf referred to "flash:/ips"?
regards,

Similar Messages

Cisco 2851 with 2-SFP ??

Hi All,
First of All wishing you all Very Happy new year!!!!
I want to whether is it possible to connect 2-HWIC-SFP ( 1GB ) modules to Cisco 2851 Router ???

Only one. See below (Table 3).
Cisco Gigabit Ethernet High-Speed WAN Interface Card

Cisco 2851 with multiple SIP registrars

I'm trying to setup up my 2851 to register with two registrars (sipgate.co.uk and voiptalk.org).
Looking at "show sip-ua register status" it seems that I have successfully registered, but oddly it is trying to use the authentication of each other on both:
router1#show sip-ua register status
--------------------- Registrar-Index 1 ---------------------
Line                             peer       expires(sec) registered P-Associ-URI
================================ ========== ============ ========== ============
100XXXX                          -1         465          yes
8449XXXX                         -1         165          no
--------------------- Registrar-Index 2 ---------------------
Line                             peer       expires(sec) registered P-Associ-URI
================================ ========== ============ ========== ============
100XXXX                          -1         165          no
8449XXXX                         -1         2865         yes
So it looks like it's trying to register using 100XXXX and 8449XXXX with both registrars, which is wrong.
I confirmed this using tcpdump.
I've been using this page to help configure the sip trunks: http://www.cisco.com/c/en/us/td/docs/ios/voice/sip/configuration/guide/15_1/sip_15_1_book/sip_cg-multi-registrars.html
I have this as my sip-ua config:
sip-ua
credentials number 100XXXX username 100XXXX password 7 PASSWORD1 realm sipgate.co.uk
credentials number 8449XXXX username 8449XXXX password 7 PASSWORD2 realm voiptalk.org
nat symmetric role active
nat symmetric check-media-src
no remote-party-id
retry invite 2
retry register 10
timers connect 100
registrar 1 dns:sipgate.co.uk expires 3600
registrar 2 dns:voiptalk.org expires 3600
connection-reuse
host-registrar
protocol mode dual-stack preference ipv6
Am I missing something obvious? :/ What could I be doing wrong?

Hope this link helps out:
http://tekcert.com/blog/2011/02/03/cme-configuration-example-sip-trunks-viatalk-and-voipms
rate the post accordingly.
Regards,
Kevin
Sent from Cisco Technical Support Android App

How do I use Cisco MARS to monitor two ASA (active/stby) with IPS modules?

Hi
The two ASA with IPS modules are in active/standby mode. When I try to add both the two IP (active/standby) into the MARS, the MARS will complain duplicated hostnames.
How to setup MARS to monitor ASA with IPS with active standby topology?
Thanks!

Hi,
The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.
Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.
In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.
Don't forget that you have to manually replicate all IPS configuration every time you make a change.
HTH
Andrew.

Configure ASA5515-X with IPS as standalone IPS.

There are instances in our organization when our customers need to have a standalone IPS device due to environment restrictions. In the past we used the 4240 sensors which are now, or soon to be, EOL. The upgrade path is the ASA 5515-X with IPS services and I have heard that the device will be able to operate as a standalone IPS device.
Does anyone know if this is indeed possible or does anyone have experience configuring the device this way? It'd definitely be cheaper than going with the 4300 devices so I'd be interested in feedback on this.

We've done this with ASA5500 models, so it's a safe bet you could do this with the ASA5500x devices as well.
The difference between using an ASA and an appliance for an IPS sensor is there's all sorts of firewall technology that you'll need to disable (as much as possible at least, you can't turn it all off) and I believe the sensor will be blind to layer 2 attacks.
- Bob

Configuration of CISCO 3502I with Windows 2003 Server SE

Hi,
I am currently trying to configure a CISCO Aironet AIR-CAP3502I-E-K9 with Win Server 2003 Standard Edition.
First of all is it even possible to cinfigure the above device using DHCP so that it can be run as an access point or can it only be used with a CISCO Controller,
Does the server need to be a Win 2003 Ent?
In my situation the Windows Server is the controller we don't have a CISCO controller
I have created a Vendor class attribute on the DHCP pool of the windows server using option 43
The IP address of the DHCP server is 10.203.125.48 but the users are sitting on the 10.203.122.xxx subnet. The AP is currebtly sitting on the same subnet as the DHCP server(125)
I have created an Option Class called 'CISCO Ap' with an option code of 241 on the DHCP scope
Under Scope options I have then created an option 241 option name and under 'Available Options' ticked the option 43 and added the name of the DHCP server IP address.
When I switch on the AP it is blinking green but I get the following error attached.
Any Help would be appreciated
Thanks
Immy

That error is "normal" because you are using a 3500 AP. This particular model of AP requires a wireless LAN controller (WLC).
You "cannot" load autonomous IOS into the 3500 for wireless service.

How to Configuration Cisco 3725 with NEC ASPILA EX

Dear all;
Now i have Cisco 3725 with 1-Port Channelized E1/T1/ISDN-PRI, i am connect to NEC ASPILA EX with PRI I/F (1PRIU-A1.
The controller link state up, but when clients dialin to RAS not have ring back or not connect to RAS.
anyone can help me?

Hi;
i'am config cisco as you recommended is "isdn protocol-emulate network" and "clock source should be internal". After the remote computer call to RAS it have modem signal and then connected, next time it disconnect. can i change some parameter for this problem or what i'am wrong?. I post config, status, and debug message for you. Help me..
===== show isdn status ===========
#show isdn status
Global ISDN Switchtype = primary-net5
ISDN Serial2/0:15 interface
******* Network side configuration *******
dsl 0, interface ISDN Switchtype = primary-net5
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 0, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 0 CCBs = 0
The Free Channel Mask: 0xFFFF7FFF
Number of L2 Discards = 0, L2 Session ID = 0
Total Allocated ISDN CCBs = 0
=============== sh controllers e1 2/0 brief ========
#sh controllers e1 2/0 brief
E1 2/0 is up.
Applique type is Channelized E1 - unbalanced
No alarms detected.
alarm-trigger is not set
Framing is CRC4, Line Code is HDB3, Clock Source is Internal.
Module type is Channelized E1/T1 PRI
Version info Firmware: 0000001D, FPGA: 0
Hardware revision is 0.0 , Software revision is 29
Protocol revision is 1
number of CLI resets is 0
receive remote alarm : 0,
transmit remote alarm : 0,
receive AIS alarm : 0,
transmit AIS alarm : 0,
loss of frame : 1,
loss of signal : 1,
Loopback test : 0,
transmit AIS in TS 16 : 0,
receive LOMF alarm : 0,
transmit LOMF alarm : 0,
========== Interface config.=============
controller E1 2/0
clock source internal
line-termination 75-ohm
pri-group timeslots 1-31
interface Serial2/0:15
no ip address
ip nat inside
encapsulation ppp
ip policy route-map nachi-worm
dialer rotary-group 1
dialer-group 1
isdn switch-type primary-net5
isdn protocol-emulate network
isdn incoming-voice modem
no fair-queue
no cdp enable
=================Debug Message when call to RAS ===========================
Mar 6 22:40:29 BANGKOK: ISDN Se2/0:15 Q931: RX <- SETUP pd = 8 callref = 0x000B
Bearer Capability i = 0x8090A3
Standard = CCITT
Transer Capability = Speech
Transfer Mode = Circuit
Transfer Rate = 64 kbit/s
Channel ID i = 0xA9838B
Exclusive, Channel 11
Calling Party Number i = 0x0081, N/A
Plan:Unknown, Type:Unknown
Called Party Number i = 0x81, '075205600'
Plan:ISDN, Type:Unknown
Low Layer Compat i = 0x8090A3
High Layer Compat i = 0x9181
Mar 6 22:40:29 BANGKOK: ISDN Se2/0:15 Q931: TX -> CALL_PROC pd = 8 callref = 0x800B
Channel ID i = 0xA9838B
Exclusive, Channel 11
Mar 6 22:40:29 BANGKOK: ISDN Se2/0:15 Q931: TX -> ALERTING pd = 8 callref = 0x800B
Mar 6 22:40:29 BANGKOK: ISDN Se2/0:15 Q931: TX -> CONNECT pd = 8 callref = 0x800B
Mar 6 22:40:35 BANGKOK: %ISDN-6-CONNECT: Interface Serial2/0:10 is now connected to unknown unknown
Mar 6 22:40:46 BANGKOK: %ISDN-6-DISCONNECT: Interface Serial2/0:10 disconnected from unknown , call lasted 17 seconds
Mar 6 22:40:46 BANGKOK: ISDN Se2/0:15 Q931: TX -> DISCONNECT pd = 8 callref = 0x800B
Cause i = 0x8290 - Normal call clearing
Mar 6 22:40:47 BANGKOK: ISDN Se2/0:15 Q931: RX <- RELEASE pd = 8 callref = 0x000B
Mar 6 22:40:47 BANGKOK: ISDN Se2/0:15 Q931: TX -> RELEASE_COMP pd = 8 callref = 0x800B
==============================================

ASA 5520 IPS configuration

Dear boss
I have a ASA 5520 with IPS in my Data center. i am using it for routing and access list. it is running and my all 80 branches running on it.
now i want to enable IPS.
How i start it ?
when i click on IPS on graphic mood an it asking an IP. what it should be ?
what is the procedure ?
Is there any risk to enable it during business hour ?
please tell me details
Thanking You
shahid

Hi,
To know more details for configuring IPS in ASA Firewall the below URL will help you
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html
Regards,
MK

Cisco SG300 Network Expansion (Configure 2 Switches)

I’m currently in the process of expanding my network having bought a second Cisco SG300-20 which is now sitting in my lab, my current setup is described below
Internet
^
|
Draytek Router 192.168.1.1
^
|
Cisco SG300-20 192.168.1.2
^
|
VLAN 12 Workstations interface 10.0.12.1
VLAN 13 Management interface 10.0.13.1
VLAN 14 Pubic interface 10.0.14.1
VLAN 15 Private interface 10.0.15.1
VLAN 20 Storage interface 10.0.20.1
I then have a number of servers with multiple nics that run on the various VLANS attached to certain ports in the Cisco Switch
VLAN 12 and 14 have been given access to the internet with routes added to Draytek to 10.0.12.1 / 10.0.14.1
Now what I want to do is to expand the network running a link from my first switch to the new switch. Ive read a number of notes on this forum but confused as to what I need to do.
I want the new switch to have access to all the VLANS configured on the first switch and will set the ports access to the various VLANs for each server that is being connected.
Have read that its best to have any additional switches on the network configured as Layer 2 and leave just one switch to do the routing (is that correct?). So have left the new switch as Layer 2 and given it an IP of 192.168.1.3
So the first question is how do I configure the uplink port from switch 1 (Port Gi2) to Switch 2 (Port Gi1).
Should I run multiple cables and create a LAG between the two switches? Allowing for additional bandwidth (I stream a lot of HD movies across the network to the workstations)
I have attached my running config from switch 1 below.
Any help would be appreciated, unfortunately networks are not my strong point.
prcswitch01#show running-config
config-file-header
prcswitch01
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end XXXXXX
vlan database
vlan 12-15,20
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp server
ip dhcp pool network Workstations
address low 10.0.12.20 high 10.0.12.100 255.255.255.0
lease infinite
default-router 10.0.12.1
dns-server 10.0.15.200 8.8.8.8
exit
bonjour interface range vlan 1
hostname prcswitch01
username cisco password encrypted XXXXXXX privilege 15
ip ssh server
interface vlan 1
ip address 192.168.1.2 255.255.255.0
no ip address dhcp
interface vlan 12
name Workstations
ip address 10.0.12.1 255.255.255.0
interface vlan 13
name Management
ip address 10.0.13.1 255.255.255.0
interface vlan 14
name Public
ip address 10.0.14.1 255.255.255.0
interface vlan 15
name Private
ip address 10.0.15.1 255.255.255.0
interface vlan 20
name Storage
ip address 10.0.20.1 255.255.255.0
interface gigabitethernet3
switchport mode access
switchport access vlan 12
interface gigabitethernet4
switchport mode access
switchport access vlan 12
interface gigabitethernet5
switchport mode access
switchport access vlan 20
interface gigabitethernet6
switchport mode access
switchport access vlan 20
interface gigabitethernet7
switchport trunk allowed vlan add 13-15
interface gigabitethernet8
switchport trunk allowed vlan add 13,20
switchport trunk native vlan 12
interface gigabitethernet9
switchport trunk allowed vlan add 13-15
interface gigabitethernet10
switchport trunk allowed vlan add 13,20
switchport trunk native vlan 12
interface gigabitethernet11
switchport trunk allowed vlan add 13-15
interface gigabitethernet12
switchport trunk allowed vlan add 13,20
switchport trunk native vlan 12
interface gigabitethernet13
switchport mode access
switchport access vlan 12
interface gigabitethernet14
switchport mode access
switchport access vlan 12
interface gigabitethernet15
switchport mode access
switchport access vlan 12
interface gigabitethernet16
switchport mode access
switchport access vlan 12
interface gigabitethernet17
switchport mode access
switchport access vlan 12
interface gigabitethernet18
switchport mode access
switchport access vlan 12
interface gigabitethernet19
switchport mode access
switchport access vlan 12
interface gigabitethernet20
switchport mode access
switchport access vlan 12
exit
ip default-gateway 192.168.1.1
prcswitch01#

Hi Aleksandra,
Im still having issues with my setup. The servers I have connected have VLAN tagging enabled
Previously I had my esxi server connected via two nics with ports configured on my Layer 3 switch prcswitch01 as follows
Port 1 Trunk VLAN 13-15
Port 2 Trunk VLAN 13,20
My NAS was configured on a single port on VLAN20
The ESXI server can only have a single gateway which is used by both interfaces
~ # esxcli network ip route ipv4 list
Network Netmask Gateway Interface Source
default 0.0.0.0 10.0.13.1 vmk0 MANUAL
10.0.13.0 255.255.255.0 0.0.0.0 vmk0 MANUAL
10.0.20.0 255.255.255.0 0.0.0.0 vmk1 MANUAL
Traffic was being passed from VLAN13 to VLAN20 to allow connectivity to the NAS on the ESXi server
This no longer seems to be happening on my Layer 2 switch.
I have configured the ports the same as previously setup on the Layer 3 switch.
When I have the esxi server connected I can reach the server on 10.0.13.11 but the server cannot ping the NAS on 10.0.20.196
Hope that makes sense, I’m confused about setting this new switch up. Should I configure it as Layer 3 and setup interfaces for the various VLANS. I was under the impression this would be done by my first switch.
Thanks
Paul

CME B-ACD on Cisco 2911 with IOS 15.2(4)M5 not working

Hi Folks,
I am currently setting up CME version 9.1 with B-ACD (app-b-acd-aa-3.0.0.2.tcl & app-b-acd-3.0.0.2.tcl), running on
Cisco 2911 with IOS ver 15.2(4)M5, this is for lab purposes.
Below is my CME & B-ACD configuration :
voice service voip
ip address trusted list
ipv4 0.0.0.0 0.0.0.0
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
h323
h225 listen-port 1820
no call service stop
sip
bind control source-interface Vlan400
bind media source-interface Vlan400
registrar server expires max 600 min 60
voice register global
mode cme
source-address 172.25.202.1 port 5060
max-dn 2
max-pool 2
load 9971 sip9971.9-2-2SR1-9
authenticate register
timezone 28
time-format 24
date-format D/M/Y
tftp-path flash:
create profile sync 0004714411607756
voice register dn 1
number 3005
name br2phn2
voice register dn 2
number 3006
name br2phn4
voice register template 1
dialplan 1
voice register dialplan 1
type 7940-7960-others
pattern 1 3...
pattern 2 999
voice register pool 1
id mac 1C1D.86C4.0D6D
type 9971
number 1 dn 1
template 1
dtmf-relay rtp-nte
username 3005 password cisco
description 3214-3005
codec g711ulaw
voice register pool 2
id mac 1C1D.86C4.A574
type 9971
number 1 dn 2
template 1
dtmf-relay rtp-nte
username 3006 password cisco
description 3214-3006
codec g711ulaw
voice hunt-group 1 parallel
list 3002,3006
pilot 3210
application
service aa flash:/app-b-acd-aa-3.0.0.2.tcl
paramspace english index 1
param number-of-hunt-grps 2
param handoff-string aa
paramspace english language en
param max-time-vm-retry 2
param aa-pilot 3500
paramspace english location flash://
param second-greeting-time 60
param welcome-prompt _bacd_welcome.au
param call-retry-timer 15
param voice-mail 3001
param max-time-call-retry 90
param service-name queue
service aa-drop flash:/app-b-acd-aa-3.0.0.2.tcl
paramspace english index 1
param service-name queue
param drop-through-option 2
param second-greeting-time 60
paramspace english language en
param max-time-vm-retry 2
param max-time-call-retry 90
param voice-mail 3001
paramspace english location flash://
param aa-pilot 3501
param number-of-hunt-grps 1
param handoff-string aa-drop
param call-retry-timer 15
service queue flash:/app-b-acd-3.0.0.2.tcl
param queue-len 15
param aa-hunt10 3006
param queue-manager-debugs 1
param number-of-hunt-grps 2
param aa-hunt2 3210
interface Loopback0
ip address 172.25.110.3 255.255.255.255
ip ospf network point-to-point
h323-gateway voip interface
h323-gateway voip id Spain ipaddr 172.25.110.1 1719
h323-gateway voip h323-id BR2-RTR
h323-gateway voip tech-prefix 1#
h323-gateway voip bind srcaddr 172.25.110.3
interface Vlan400
ip address 172.25.202.1 255.255.255.0
ip pim dense-mode
dial-peer voice 3500 voip
service aa
destination-pattern 3500
session target ipv4:172.25.110.3
incoming called-number 3500
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad
dial-peer voice 3501 voip
service aa-drop
destination-pattern 3501
session target ipv4:172.25.110.3
incoming called-number 3501
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad
telephony-service
no auto-reg-ephone
max-ephones 2
max-dn 2 no-reg both
ip source-address 172.25.110.3 port 2000
cnf-file location flash:
load 7965 term65.default.loads
time-zone 28
time-format 24
date-format dd-mm-yy
max-conferences 8 gain -6
moh "music-on-hold.au"
web admin system name admin password cisco
dn-webedit
transfer-system full-consult
create cnf-files version-stamp 7960 Feb 14 2014 05:54:44
ephone-template 1
softkeys connected Endcall Hold Park Trnsfer Acct Flash
ephone-dn 1 octo-line
number 3001 no-reg both
description 3214-3001
name br2phn1
ephone-dn 2 octo-line
number 3002 no-reg both
description 3214-3002
name br2phn3
ephone 1
device-security-mode none
mac-address 189C.5DB6.D303
ephone-template 1
max-calls-per-button 5
busy-trigger-per-button 3
type 7965
button 1:1
ephone 2
device-security-mode none
description 3214-3002
mac-address 984B.E194.FDDD
ephone-template 1
max-calls-per-button 5
busy-trigger-per-button 3
type 7960
button 1:2
Problem :
1. When I test call from CME Phone both SIP and SCCP Phone by dial 3500 or 3501, I get the busy tone.
2. Debug voip dial-peer, match with dial-peer voice 3500 for (aa service) & 3501 for (aa-drop service).
3. Debug voice application script, show nothing.
Is there something wrong with my configuration ?
Rgds
Novri

Hi Novriadi,
In your configuration
service aa flash:/app-b-acd-aa-3.0.0.2.tcl
service queue flash:/app-b-acd-3.0.0.2.tcl
paramspace english location flash://
Remove "/" and "//" from the configuration
Then use the call application voice load command in privileged EXEC mode to reload the scripts.
Router# call application voice load aa
Router# call application voice load queue
Router# call application voice load aa-drop
You can refer to following document as well for more info
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/bacd/configuration/guide/cme40tcl/40bacd.html#wp1018270
Please find the sample configuration that is required to configure b-acd in CME for reference.
telephony-service
moh music-on-hold.au
multicast moh 239.1.1.1 port 2000
application
service queue flash:app-b-acd-2.1.0.0.tcl
param number-of-hunt-grps 2
param aa-hunt2 1111
param aa-hunt3 1222
param queue-len 15
param queue-manager-debugs 1
service aa flash:app-b-acd-aa-2.1.0.0.tcl
paramspace english index 1
paramspace english language en
paramspace english location flash:
param service-name queue
param handoff-string aa
param aa-pilot 8005550123
param welcome-prompt _bacd_welcome.au
param number-of-hunt-grps 2
param dial-by-extension-option 1
param second-greeting-time 60
param call-retry-timer 15
param max-time-call-retry 700
param max-time-vm-retry 2
param voice-mail 5003
dial-peer voice 222 voip
service aa
destination-pattern 8005550123
session target ipv4:192.168.1.1
incoming called-number 8005550123
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad
Thanks & Regards,
Mudit Mathur

How to create wrielesss vlan with diffrence configuration

how to create wireless vlans with different configuration in network?
device use only :
laptop = 30
desktop = 40
linksys wirelesss router = 1
switch 2960 = 1
router 1841 = 1
vlan 10 = lecturer(1 desktop & 1 laptop)
vlan 20 = student(29 laptop & 39 desktop)
Posted by WebUser ???? ?????????? from Cisco Support Community App

in this case we don't have enough budget t get WLC device....mybe use the autonomous ap....i use the linksys wireless routes as AP that connect to switch and create the VLANs 10 and VLANs 20 in the switch 2960, the switch connect to router 1841 that will ensure vlan connect each other.
Posted by WebUser ???? ?????????? from Cisco Support Community App

NeedHelp Is it bug at IDSM-2 with IPS-K9-7.0-2-E3.pkg??

Dear All,
i have idsm with IPS-K9-7.0-2-E3.pkg installed,
i use inline mode for this idsm, and idsm place is front on server farm
but i have some problem that one segment in my network cant access the server
but another segment can access that server,
that server is oracle database aplication (real time)
in this is happend only for that server.
when i filter the traffic with idsm, the result that transaction match with
signature number 7000, evenly that signature dont have action to deny the traffic,
the traffic still cannot bypass, then ill try to disable but nothing impact to that segment
evenly other segment can access that server normally.
anyone can explain to me why this happen??
ill try to downgrade to IPS-K9-7.0-2-E3.pkg with IME but always error..
anyone can help me please..

Hi Josh..
This is my answer
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
First off, you cannot downgrade the version without a re-image. You can only downgrade signatures. Second, you mention 7.0(2)E3 as the version you are on and the version you want to downgrade to. Can you verify what version you are running?
Im not yet downgrade to 7.0(2) because I don’t have yet permission from my bos . And now my isdm still use 7.0(2)E3
This is capture from my isdm
OTIDSM# sh ver
Application Partition:
Cisco Intrusion Prevention System, Version 7.0(2)E3
Host:
    Realm Keys          key1.0
Signature Definition:
    Signature Update    S425.0                   2009-08-17
    Virus Update        V1.4                     2007-03-02
OS Version:             2.4.30-IDS-smp-bigphys
Platform:               WS-SVC-IDSM-2
Serial Number:          SAD132802TL
Licensed, expires:      20-Oct-2010 UTC
Sensor up-time is 2 days.
Using 1415421952 out of 1983504384 bytes of available memory (71% usage)
system is using 17.4M out of 38.5M bytes of available disk space (45% usage)
application-data is using 38.6M out of 166.8M bytes of available disk space (24% usage)
boot is using 41.5M out of 68.6M bytes of available disk space (64% usage)
MainApp            B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running
AnalysisEngine     B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running
CollaborationApp   B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running
CLI                B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500
Upgrade History:
IPS-K9-7.0-2-E3   07:43:07 UTC Thu Oct 15 2009
Maintenance Partition Version 2.1(3)
Recovery Partition Version 1.1 - 7.0(2)E3
Host Certificate Valid from: 27-Apr-2010 to 27-Apr-2012
On the traffic not passing issue, if you put the sensor in bypass does that resolve the issue. That will eliminate any signature related actions from impacting the traffic. If you are still unable to access the servers then you should look for a routing or network layer issue
What you mean about bypass? Is it to released the idsm from network? If that so, I had do that and the server can access from segment that before cant access it. I had done to check the network layer problem but everything is ok,
And I want to clarify the other segment that cant access the server only for some application (real time application) in that server but the server can ping and telnet from that segment ( I think this is to clarify the network issue problem)
If that clears things up, the next step would be to create an Event Action Override to produce alert for all signatures. Then you can review IME for any signatures firing related to these servers. Please remove the Override once you are done testing as this can have a performance impact on the sensor over time and should only be used temporarily to troubleshoot a specific issue.
Well, I will try your suggestion, But I will wait permission to execute it. I hope this is work for my idsm-2
If you are still having trouble, if may help to get some info about the config of the sensor and the switch. Specifically, how the VLAN or Interface Pairs are setup, etc.
Oke, I will…
Btw, thanks for your help boss
GBU …

License Cisco ESA in Cluster Configuration

Guys,
Do you have any idea about license Cisco ESA in Cluster Configuration
> If i have two appliance in cluster configuration and i have 1000 user, which option for license i must buy ?
1. Just one license for two appliance (which in cluster configuration) with 1000 user capacity
2. Two license with 500 user capacity for each appliance, appliance 1 with 500 user capacity license appliance 2 500 user capacity license
3. Other license.
BR

You only need to buy 1000 user licenses for which ever options or packages you buy. The only option that is not based on the number of users is if you want a Cisco Content Security Management Appliance or SMA for centralized reporting and quarantine.
Another good thing to note, is that if you have a virtual environment the hardware appliances are no longer required, and are not nearly as expensive as they were in the past. So depending on your requirements you may be off the ground pretty quick.
Also make sure to get all your features bundled. I would at least get AMP, Sophos A/V, DLP, and Encryption. This also means you can transfer and copy your license to as many appliances (Physical or Virtual) you need to support your environment.

Using Cisco WCS with Microsoft IAS

Hi.
I have two 5508 and WCS 7.0.172. I want to user Active Directory users credintals to login on ther WCS. Have a configurated NPS role on server with windows 2008 r2.
I have read this http://zmq503o1.wordpress.com/2008/01/06/using-cisco-wcs-with-microsoft-ias/ and done the same.
I dont't agree with "on the "Encryption" tab and clear all the checkboxes except "No encryption" - wants an encryption connection but this didn't work till in user's properites in AD permit "Reversible encryption". This is not what that I want. Would I need to generate ssl-cert for the wcs as wroted this?http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/hard.html#wp1042471
or doing smth else? thx

Camera is only supported for use with CUVA. Any other application attempting to utilize the camera is not tested and is not supported.

SSM IPS Configuration

I have a couple of questions regarding the ASA that deal with the SSM module.
I have read the document "Configuring ASA-SSM" and am confused by the command logic. I realize that you need to specify a service-policy globally that defines the traffic being sent to the SSM module. My concern is that the configuration document lists as one of it's steps to define an ACL for the IPS traffic and then apply it to an interface before configuring the class map, policy map, and service-policy. Why would this ACL need to be applied to an interface when it is being used for defining IPS traffic? Shouldn't the ASA send whatever traffic is defined globally in the service-policy to the SSM without attaching the ACL to an interface?
Also, on the ASA factory default configuration there is a service-policy defined as:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
But, if I define a global service-policy for the SSM I would lose this default service-policy as only one global service policy is allowed. Is the default service-policy providing the fixup protocol services as in the PIX that I am used to seeing? If so do I lose this functionality by applying a global service-policy for IPS/
Sorry for the length of the post and thanks for your help in advance.

The configuration in the IPS User's Guide is just one method for settings up the ASA to send packets to the SSM.
It is an extremely basic configuration on the ASA where all the ASA is doing is copying packets to the SSM and the ASA is not doing any of it's firewall functionality.
This configuration is only practical if the ASA was purchased and used only for housing the SSM and sending it traffic ( a rare deployment in the field ).
If your ASA is already configured for firewall functionality then the only additional command(s) that need to be added to your config are:
ips inline|promiscuous fail-open|fail-close
Take your existing policy-map and for every class in that policy you will need to decide if the traffic should be monitored promiscuously, inline, or not monitored by the SSM.
In your example, if you wanted to monitor all of the traffic inline on the SSM and want to continue passing traffic if the SSM fails. Then simply add the line "ips inline fail-open" within the existing "class inspection_default".
NOTE: If you change the policy you need to understand that the new policy will only affect new connections and not existing connections.
The only reason you would have to create additional acls and class maps using the acls would be if you did not want all of the traffic monitored inline by the SSM.
If you want different traffic monitored promiscuous and other inline (or not monitored), then you need to include additional classes in your policy-map so that a different ips configuration line can be added for each class.

CISCO 2851 with IPS configuration

Similar Messages

Maybe you are looking for