IPS 4240 Blocking Questions with Pix 515E

I have enabled Blocking on the 4240 and have set the Blocking Device as our Pix 515E. When I look at the Signature Configurations quite a few Signature Actions are set to Produce Alert only. If blocking is enabled do you have to also go and set the Signature Actions to Deny or TCP Reset? So far my IPS dosen't show any Denied Attackers and it has detected High level Traffic which I would assume should now be blocked. Thanks John

Yes, you have to go under the signatures you want and enable blocking for them as an action. Configuring blocking globally (defining the blocking device, the interface,, the login details for the device, etc), doesn't actually enable any blocking on the sensor per se, you still have to go and enable blocking for that particular signature. when that particular sig fires in future, the sensor will block it on the device you have configured.
Be very careful with blocking, the reason we don't simply block all signatures is that it would be very dangerous to blindly add access-lists to a device that will stop traffic. You first need to make sure you're not getting any false-positives on the signatures and end up blocking valid traffic. Also, on a busy sensor you could easily overrun both the sensor and the blocking device with writing and removing 1000's of access-lists onto it. And finally, although not likely, blocking can even be used as a denial of service attack, where an attacker, if they know what signatures you are blocking on, can spoof packets past your sensor so that it will deny traffic to legitimate hosts.
You need to look at what signatures you really want to block on, then enable blocking on them individually.

Similar Messages

Blocking protocols with pix version 7.2.1

somebody knows like blocking protocols like skype with pix version 7.2.1.
i know msn messenger or yahoo messenger can be blocked.
but I need to blocked things like skype.
thanks.

Try this link
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/inspect.htm#wp1480861

IPS 4240 Design Question

I have two IPS 4240s that may be placed between our internal network and our extranet firewall. The firewall set is your standard ASA-5520 active/failover pair connected to two switches.
Q1 - If I am not worried about atomic attacks, is there any other benefit to having the IPS inline over promiscuous?
Q2 - Whether inline or promiscuous, is it necessary to connect the single IPS to both switches in order to receive packets when an ASA failover occurs? If so, is it done physically or via RSPAN?
Q3 - If the IPS fails and it is configured inline, do the interfaces fail open (traffic continues to pass) or closed (traffic is dropped)? I could not find that on Cisco's site.
Thanks!

A1 - There are a few things that in-line mode can clean up by deafult, but that can also bite you. Check out some of the other forum posts on having ssh dropped without alerts. Since you have reduntant 4240s the realibility of the IPS sensors in-line shouldn't affect you as much. Just don't update them at the same time.
A2 - Only the signatures that need state will be effected by a failover. Hopefully failovers do not happen frequently enough for missing a few potential hits to be an issue. If you are really performing good analysis and tuning out your false positives, then you might want to connect both sensors to both switches.
A3 - You can configure the 4240s to fail-open (pass the traffic thru the sensor when it fails) or fail-closed (do not pass traffic during sensor failure). Since you have dual firewalls, switches and sensors, you can fail closed and force the traffic thru the running sensor and firewall. If one sensor is standby, you may want to make him fail open, so that you can still pass traffic in the event both sensors are down.

IPS 4240 Newbie Question

Just got a 4240. I have it up and running, the question I have is about physical placement in the network. I would like to monitor outside the firewall, and set up an inline-pair to block traffic that passes through the firewall. My dumb question is this. Do the ports for the inline-pair plug into the same switch? If so, do I set both of those up as spannning ports? Would I include anything else in the span? firewall port that feeds the lan? Any help would be greatly appreciated.
Doug

This document provides a hardware/software compatibility matrix for the Cisco Intrusion Prevention System (IPS) Appliances (4210, 4215, 4220, 4230, 4235, 4240, 4250, 4255), Adaptive Security Appliance Security Services Module (SSM), Router Module and Catalyst 6000 Intrusion Detection System Modules (IDSM-1, IDSM-2). This document also provides an overview of the Management options. A brief overview of each application is provided, as well as a version compatibility matrix. Versions listed in each compatibility matrix are the only supported versions.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_tech_note09186a008053183f.shtml

IPS 4240 configuration question

I have a 4240 that is physically sitting in between my edge router and my ASA - One interface is connected to router and the other is connected to ASA. I have confiured Inline Interface pair. My question is to manage 4240, what option do I have? I know using management interface is one option. However, due to security concern, they don't want to use management interface. I was wondering if there is any other way I can manage.
Thanks.

The only way to communicate to your 4240 is via the management interface (ethernet) or via the console port (serial). The management interface allows you a lot more flexibility, ssh, IDM (the GUI interface), event feeds to a SIM platform (via SDEE protocol), and most importantly; software and signature updates.
Why would you want to place your IPS sensors OUTSIDE your firewall?

WRVS4400NV2 IPS now blocking Cisco IPS Auto Update Server

Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto update as it had been doing without issue for months. I looked in the logs and the IPS was showing an HTTP Error when attempting to update. I checked and nothing had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
The WRVS4400N IPS was blocking connections with the cisco auto update server because it detected an RPC Anomaly in the traffic. So apparently, something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
FYI-I also posted this issue to the small business router community discussion forum.

Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto update as it had been doing without issue for months. I looked in the logs and the IPS was showing an HTTP Error when attempting to update. I checked and nothing had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
The WRVS4400N IPS was blocking connections with the cisco auto update server because it detected an RPC Anomaly in the traffic. So apparently, something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
FYI-I also posted this issue to the small business router community discussion forum.

TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
I am a beginner is IPS, Any inputs will be valuable for me.

We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
-0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
-1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
-2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
TCP resets are a best effort response, they aren't going to be a 100% effective stop

Bitcoin generator and Cisco IPS 4240

I have a problem with Bitcoin generator installed somewhere in local network.
I have IPS 4240 what connected as IPS (All traffic to internet passes through IPS.
The software on IPS is very old.. and I can not upgade it.
Version 6.0(6)E4
Can I configure IPS tj detect and prevent bitcoin?

Please any one can answer these questions...Your help is appreciable...Thse are blocking me...
We have purchased Cisco IPS 4240 sensor, installed the license and that device is communicating with other computers in the network. The version installed is IPS 6.1(1)E1. Please can you answer me below questions.
1) Please can you provide me the Document or link, that lists all the possible events that can be generated by Cisco IPS 4240 sensor.
2)Where this IPS 4240 sensor will store all the generated events, Pls can u provide me the File names,location of that files and can you tell me how to acces that files?
3) How many types of events will be generated by this IPS 4240 sensor.
4) How to send all types of events to Syslog server (Windows Kiwi syslog OR Linux syslog) present on another system in the network through CLI,IDM and IME.
5) Can you provide me some Examples to generate different events.
6) What is the difference between CLI, IDM and IME?
7) How we can know that configured IPS system is in Inline mode?

IDS-4210 picks up what IPS-4240 misses, strange duplex/interface problems

I just installed a IPS-4240 inline on our primary internet inbound connection. I decided to leave the 4210 in place for a week or two while I tuned the signatures. It is receiving a span of the same traffic that the 4240 is receiving.
I noticed today that the 4210 is picking up sig 3250 and the 4240 is no. The first thing I checked to make sure that the 4240 has this signature enabled, and it is. Anyone have any thoughts? BTW, All sensors are on the same version 5.1.1 and running s211 and managed through VMS.
I would also like to mention that I had issues on the 4240 and its interfaces. Management only runs at half duplex and the interfaces that connect to our PIX. I ended up having to put a switch between the 4240 and the Pix 515e to solve the duplex issues.
Anyone have any thoughts on this part

I had the same duplex problem with my 4240 sensor connecting to my PIX. The only way I could get it to work without errors is to set both the sensor and the PIX interfaces to auto/auto. I worked with Cisco on this problem. No resolution, just the workaround. As far as sig 3250, IPS and IDS signatures may be a little different. I assume you span from the inside and run your in-line outside your firewall? If this is the case, then the 4240 sensor may see different traffic than the 4210.

Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)

Hello,
I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails. What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers. I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
Thanks,
Jeff Mateo
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password GFO9OSBnaXE.n8af encrypted
passwd GFO9OSBnaXE.n8af encrypted
hostname morrow-pix-ct
domain-name morrowco.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 12.42.47.27 LI-PIX
name 172.20.0.0 CT-NET
name 172.23.0.0 LI-NET
name 172.22.0.0 TX-NET
name 172.25.0.0 NY-NET
name 192.168.10.0 CT-DMZ-NET
name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
name 199.191.128.105 web-dns-1
name 12.127.16.69 web-dns-2
name 12.3.125.178 NY-PIX
name 64.208.123.130 TX-PIX
name 24.38.31.80 CT-PIX
object-group network morrow-net
network-object 12.42.47.24 255.255.255.248
network-object NY-PIX 255.255.255.255
network-object 64.208.123.128 255.255.255.224
network-object 24.38.31.64 255.255.255.224
network-object 24.38.35.192 255.255.255.248
object-group service morrow-mgmt tcp
port-object eq 3389
port-object eq telnet
port-object eq ssh
object-group network web-dns
network-object web-dns-1 255.255.255.255
network-object web-dns-2 255.255.255.255
access-list out1 permit icmp any any echo-reply
access-list out1 permit icmp object-group morrow-net any
access-list out1 permit tcp any host 12.193.192.132 eq ssh
access-list out1 permit tcp any host CT-PIX eq ssh
access-list out1 permit tcp any host 24.38.31.72 eq smtp
access-list out1 permit tcp any host 24.38.31.72 eq https
access-list out1 permit tcp any host 24.38.31.72 eq www
access-list out1 permit tcp any host 24.38.31.70 eq www
access-list out1 permit tcp any host 24.38.31.93 eq www
access-list out1 permit tcp any host 24.38.31.93 eq https
access-list out1 permit tcp any host 24.38.31.93 eq smtp
access-list out1 permit tcp any host 24.38.31.93 eq ftp
access-list out1 permit tcp any host 24.38.31.93 eq domain
access-list out1 permit tcp any host 24.38.31.94 eq www
access-list out1 permit tcp any host 24.38.31.94 eq https
access-list out1 permit tcp any host 24.38.31.71 eq www
access-list out1 permit tcp any host 24.38.31.71 eq 8080
access-list out1 permit tcp any host 24.38.31.71 eq 8081
access-list out1 permit tcp any host 24.38.31.71 eq 8090
access-list out1 permit tcp any host 24.38.31.69 eq ssh
access-list out1 permit tcp any host 24.38.31.94 eq ftp
access-list out1 permit tcp any host 24.38.31.92 eq 8080
access-list out1 permit tcp any host 24.38.31.92 eq www
access-list out1 permit tcp any host 24.38.31.92 eq 8081
access-list out1 permit tcp any host 24.38.31.92 eq 8090
access-list out1 permit tcp any host 24.38.31.93 eq 3389
access-list out1 permit tcp any host 24.38.31.92 eq https
access-list out1 permit tcp any host 24.38.31.70 eq https
access-list out1 permit tcp any host 24.38.31.74 eq www
access-list out1 permit tcp any host 24.38.31.74 eq https
access-list out1 permit tcp any host 24.38.31.74 eq smtp
access-list out1 permit tcp any host 24.38.31.75 eq https
access-list out1 permit tcp any host 24.38.31.75 eq www
access-list out1 permit tcp any host 24.38.31.75 eq smtp
access-list out1 permit tcp any host 24.38.31.70 eq smtp
access-list out1 permit tcp any host 24.38.31.94 eq smtp
access-list dmz1 permit icmp any any echo-reply
access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
access-list dmz1 permit ip any any
access-list dmz1 deny ip any any
access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
.0
access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
55.255.0
access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
5.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
0
access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
.248.0
access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
access-list in1 permit tcp host 172.20.1.21 any eq smtp
access-list in1 permit tcp host 172.20.1.20 any eq smtp
access-list in1 deny tcp any any eq smtp
access-list in1 permit ip any any
access-list in1 permit tcp any any eq smtp
access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
access-list in2 deny ip host 172.20.1.82 any
access-list in2 deny ip host 172.20.1.83 any
access-list in2 permit ip any any
pager lines 43
logging on
logging timestamp
logging buffered notifications
logging trap notifications
logging device-id hostname
logging host inside 172.20.1.22
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside CT-PIX 255.255.255.224
ip address inside 172.20.8.1 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ctpool 192.168.220.100-192.168.220.200
ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
pdm history enable
arp timeout 14400
global (outside) 1 24.38.31.81
nat (inside) 0 access-list nat0
nat (inside) 1 CT-NET 255.255.0.0 2000 10
nat (DMZ) 0 access-list nat0-dmz
static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
access-group out1 in interface outside
access-group dmz1 in interface DMZ
route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
route inside CT-NET 255.255.248.0 172.20.8.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ct-rad protocol radius
aaa-server ct-rad max-failed-attempts 2
aaa-server ct-rad deadtime 10
aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 173.220.252.56 255.255.255.248 outside
http 65.51.181.80 255.255.255.248 outside
http 208.65.108.176 255.255.255.240 outside
http CT-NET 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community m0rroW(0
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dyn_map 20 match address vpn-dyn-match
crypto dynamic-map dyn_map 20 set transform-set 3des-sha
crypto map ct-crypto 10 ipsec-isakmp
crypto map ct-crypto 10 match address vpn-ct-li-gre
crypto map ct-crypto 10 set peer LI-PIX
crypto map ct-crypto 10 set transform-set 3des-sha
crypto map ct-crypto 15 ipsec-isakmp
crypto map ct-crypto 15 match address vpn-ct-li
crypto map ct-crypto 15 set peer LI-PIX
crypto map ct-crypto 15 set transform-set 3des-sha
crypto map ct-crypto 20 ipsec-isakmp
crypto map ct-crypto 20 match address vpn-ct-ny
crypto map ct-crypto 20 set peer NY-PIX
crypto map ct-crypto 20 set transform-set 3des-sha
crypto map ct-crypto 30 ipsec-isakmp
crypto map ct-crypto 30 match address vpn-ct-tx
crypto map ct-crypto 30 set peer TX-PIX
crypto map ct-crypto 30 set transform-set 3des-sha
crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
crypto map ct-crypto client authentication ct-rad
crypto map ct-crypto interface outside
isakmp enable outside
isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
vpngroup remotectusers address-pool ctpool
vpngroup remotectusers dns-server 172.20.1.5
vpngroup remotectusers wins-server 172.20.1.5
vpngroup remotectusers default-domain morrowny.com

Amit,
I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up.

New to IPS 4240 - What else can I use to manage it?

I have just purchased a Cisco IPS 4240 and have it up and running. Have been using the IEV to view IPS information and that works ok. The VMS 2.2 that came included with the IPS will not work with the current Cisco works (LMS 2.5) installation that we have.
My question is, is there any other tool besides the IEV and the VMS 2.2 that I can use to mange/monitor my IPS? the IEV seems so limited.
I have downloaded the newer VMS from the Cisco site and am planning to test that this comming week, but wanted to know ahead of time if I needed to waste my time with this tool or not.
Thanks!

The latest CSMARS release is promising and honestly the netforensics solution offered by Cisco probably wouldn't be a good fit for the op, but I think Cisco needs to rething pushing the MARS in leui of everything else. As a previous customer of netforensics, and now a user of CSMARS...there are definitely many things that netforensics does better than CSMARS.
My biggest beef with CSMARS is the seemingly casual way in which it treats time and "raw messages". IMHO, these should be sacred to any SIM. I can elaborate, but for the sake of brevity I'll just give a couple examples:
The signature name reported in the "raw message" that MARS makes available is not always correct. Also, custom signature events report as "unknown" in the "raw message". Clearly this is not a "raw message" by any reasonable interpretation...MARS is writing bits that never existed in the original message.
the event contextual information is very often truncated. If you rely on this a great deal, the MARS probably isn't for you. There's also no interface for decoding it, requiring a cut-and-paste into your favorite decoder.
Believe me, I could go on. On the bright side, the MARS is showing promise...I was able to cross off my list quite a few issues after the latest upgrade.
Matt

IPS 4240 -email arlert configuration and Which mode

hi
My topology
1)
Internet-router(2ISP terminated in Single Router-two different Firewall-(ASA5510 and PIX 515e)-->inside interface connected in IPS4240--->From IPS to L33750 Switch.
Is right place to put IPS4240 and tell me IPS in which mode(inline or Promiscous).
2) I am able to see log in IPS 4240, i want to configure IPS alert to my mail id , where i need to start the configuration.? pl advise
thanks
Karthik

Email alert configuration is not supported in IPS/IDS.
I think you can configure in promiscuous mode as Customers requiring promiscuous mode (non-inline) deployments are encouraged to migrate to the Cisco IPS 4240 Sensor, which supports up to 250 Mbps of IPS throughput.
The below URL helps to configure IPS 4240 in promiscuous mode:
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliInter.html#wp1033699

IPS 4240 problem

Hi All,
we've installed IPS 4240 since 6 months ago and everything worked fine. Then I noticed time in IPS was not correct, then in the IDM, I've changed summer time to 60 minutes offset to get the right time from NTP. then reboot the IPS, since that time users inside the network are not able to connect to internet, and basically traffic from inside to outside is blocked. But traffic from outside to inside is fine and outside users are able to hit to the web server in DMZ zone.
any idea would be very appreciated.
thanks
Alex

Changing your time offset should not cause this type of problem. Check for any non-running processes with a "sh ver", reboot your sensor and check the system log for some signs of trouble or blocking with "sh events past 01:00".
Open a TAC case to get additional help.

Download Speed on PIX 515E is Pretty Slow

Hello, I have a PIX 515E set up between our office switch and our Comcast Business Router and the download speeds are not as fast as they should be. We are paying for 30 down 30 up but it's more like 10 down 30 up. I plugged in a computer directly into the router and got 30/30 so I know its not a comcast issue. I think it might be the low amount of memory on the PIX because its running at 109 out of a total 128mb. The PIX has a site-to-site VPN tunnel with a remote ASA 5520 firewall. The inside/outside ports are both auto/auto. The running config is only 161 lines.
Here's some information about the PIX 515E...
Version 8.0(4)
ASDM 6.1(3)
Memory 128MB
Here is the running config..
Result of the command: "show running-config"
: Saved
PIX Version 8.0(4)
hostname --------------------
domain-name -----------------
enable password -------------------------
passwd --------------- encrypted
names
name 1.1.1.1 Data-Center-Firewall    #### Outside Address Changed
name 10.0.0.0 Data-Center-Subnet
dns-guard
interface Ethernet0
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0 standby 10.10.1.254
interface Ethernet1
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.252   #### Outside Address Changed
interface Ethernet2
description LAN/STATE Failover Interface
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name -------------
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http8080 tcp
description http8080
port-object eq 8080
object-group service DM_INLINE_TCP_1 tcp
port-object range 50000 50100
port-object eq 990
access-list outside_access_in remark ip, tcp/990
access-list outside_access_in extended permit tcp host 1.1.1.1 host 2.2.2.5 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit icmp any any
access-list ACL-VPN extended permit ip 10.10.1.0 255.255.255.0 Data-Center-Subnet 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface failover Ethernet2
failover lan enable
failover key *****
failover replication http
failover mac address Ethernet0 001e.f732.008f 000d.28f9.628f
failover mac address Ethernet1 001e.f732.0090 000d.28f9.6290
failover link failover Ethernet2
failover interface ip failover 10.10.10.10 255.255.255.252 standby 10.10.10.20
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list ACL-VPN
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 2.2.2.5 10.10.1.102 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
route inside 10.10.0.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.0.0 255.255.255.0 inside
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MAP-VPN 1 match address ACL-VPN
crypto map MAP-VPN 1 set pfs
crypto map MAP-VPN 1 set peer Data-Center-Firewall
crypto map MAP-VPN 1 set transform-set ESP-3DES-SHA
crypto map MAP-VPN 1 set security-association lifetime seconds 28800
crypto map MAP-VPN 1 set security-association lifetime kilobytes 4608000
crypto map MAP-VPN interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.1.0 255.255.255.0 inside
telnet 10.10.0.0 255.255.255.0 inside
telnet timeout 5
ssh 10.10.0.0 255.255.255.0 inside
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
class-map class_ftp
match port tcp eq ftp-data
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class class_ftp
inspect ftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:b795d4f5f5da3d8283d452ba857d5534
: end

Please check on the speed and duplex settings whether the downstream and upstream links are fine and healthy.
Inside/outside are both set to auto/auto at
Check for the processes usage of the cpu of the pix.
CPU is running at 2%
Process:      tmatch compile thread, PROC_PC_TOTAL: 2, MAXHOG: 8, LASTHOG: 8
LASTHOG At:   19:01:15 EST Dec 31 1992
PC:           26b616 (suspend)
Process:      tmatch compile thread, NUMHOG: 2, MAXHOG: 8, LASTHOG: 8
LASTHOG At:   19:01:15 EST Dec 31 1992
PC:           26b616 (suspend)
Traceback:    26b616 26bdb9 26ec89 1182b3
Process:      Dispatch Unit, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
LASTHOG At:   09:25:12 EDT Jul 18 2012
PC:           130114b (interrupt)
Traceback:    100178 12edd0c 9771e5 8c0e66 927164 928996 8ec3f5
              8ec7ed 79d35e 2780c3 1182b3
Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
LASTHOG At:   12:27:25 EDT Jul 18 2012
PC:           130114b (interrupt)
Traceback:    100178 d870cb 13016b3 15cf68 e91a6f e9118b abfcea
              a7cb2e a7daeb 18d800 5ae9a9 5a6aa0 5a7272 5a75e5
Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 4, MAXHOG: 7, LASTHOG: 7
LASTHOG At:   12:34:10 EDT Jul 18 2012
PC:           5ae903 (suspend)
Process:      Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 7, LASTHOG: 7
LASTHOG At:   12:34:10 EDT Jul 18 2012
PC:           5ae903 (suspend)
Traceback:    5ae903 5a6aa0 5a7272 5a75e5 5ad3d5 1182b3
Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 4, MAXHOG: 5, LASTHOG: 5
LASTHOG At:   12:37:47 EDT Jul 18 2012
PC:           f4078b (suspend)
Process:      Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 5, LASTHOG: 5
LASTHOG At:   12:37:47 EDT Jul 18 2012
PC:           f4078b (suspend)
Traceback:    f40be2 130f41e aab54d aac3b0 5a6c2e 5a7272 5a75e5
              5ad3d5 1182b3
Process:      IKE Daemon, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
LASTHOG At:   23:07:40 EDT Jul 19 2012
PC:           1b6dd0 (interrupt)
Traceback:    100178 1b8a31 1baaeb 6438d7 12efc6f 64250b 653fe9
              654b78 1182b3
Process:      IKE Daemon, PROC_PC_TOTAL: 347, MAXHOG: 31, LASTHOG: 30
LASTHOG At:   16:01:55 EDT Jul 23 2012
PC:           654bab (suspend)
Process:      CTM message handler, PROC_PC_TOTAL: 346, MAXHOG: 27, LASTHOG: 27
LASTHOG At:   16:01:55 EDT Jul 23 2012
PC:           2087ec (suspend)
Process:      IKE Daemon, NUMHOG: 693, MAXHOG: 31, LASTHOG: 27
LASTHOG At:   16:01:55 EDT Jul 23 2012
PC:           654bab (suspend)
Traceback:    1182b3
Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
LASTHOG At:   17:23:30 EDT Jul 23 2012
PC:           130003b (interrupt)
Traceback:    100178 13008b8 f5a0cd f5ac32 f5ae40 f60828 f617c1
              d38a0d aab50b aac14a 5a6c2e 5a7272 5a75e5 5ad3d5
Process:      Dispatch Unit, PROC_PC_TOTAL: 227, MAXHOG: 432, LASTHOG: 35
LASTHOG At:   17:37:03 EDT Jul 23 2012
PC:           278207 (suspend)
Process:      Dispatch Unit, NUMHOG: 227, MAXHOG: 432, LASTHOG: 35
LASTHOG At:   17:37:03 EDT Jul 23 2012
PC:           278207 (suspend)
Traceback:    278207 1182b3
Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 1901, MAXHOG: 8, LASTHOG: 7
LASTHOG At:   17:44:20 EDT Jul 23 2012
PC:           118ed5 (suspend)
Process:      Unicorn Admin Handler, NUMHOG: 1901, MAXHOG: 8, LASTHOG: 7
LASTHOG At:   17:44:20 EDT Jul 23 2012
PC:           118ed5 (suspend)
Traceback:    118ed5 b2d032 f5a80d f5ac0a f5ae40 f607e5 f617c1
              d38a0d aab50b aac14a 5a6c2e 5a7272 5a75e5 5ad3d5
CPU hog threshold (msec): 5.120
Last cleared: None
Check on the inetrface whetehr u get any crc/input/overrun errors. Please check with the physical connectivity.
Interface Ethernet0 "inside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps, DLY 100 usec
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    MAC address __________, MTU 1500
    IP address 10.10.1.1, subnet mask 255.255.255.0
    60862937 packets input, 29025667892 bytes, 0 no buffer
    Received 1371 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    68515603 packets output, 44084404472 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    input queue (curr/max packets): hardware (0/1) software (0/47)
    output queue (curr/max packets): hardware (0/67) software (0/1)
Traffic Statistics for "inside":
    60997029 packets input, 28080179952 bytes
    68553614 packets output, 43104566708 bytes
    29544 packets dropped
      1 minute input rate 63 pkts/sec, 30371 bytes/sec
      1 minute output rate 64 pkts/sec, 16557 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 91 pkts/sec, 45254 bytes/sec
      5 minute output rate 93 pkts/sec, 56181 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet1 "outside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps, DLY 100 usec
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    MAC address ___________, MTU 1500
    IP address ___________, subnet mask 255.255.255.252
    67730933 packets input, 44248541375 bytes, 0 no buffer
    Received 4493 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    60418640 packets output, 29310509840 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    input queue (curr/max packets): hardware (0/1) software (0/39)
    output queue (curr/max packets): hardware (0/42) software (0/1)
Traffic Statistics for "outside":
    67782987 packets input, 43276611710 bytes
    60562287 packets output, 28342787997 bytes
    206651 packets dropped
      1 minute input rate 57 pkts/sec, 14273 bytes/sec
      1 minute output rate 61 pkts/sec, 30258 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 89 pkts/sec, 54426 bytes/sec
      5 minute output rate 87 pkts/sec, 45115 bytes/sec
      5 minute drop rate, 0 pkts/sec
enable flowcontrol recieve on on the firewall interfaces and switch/router interfaces connected to the firewall.
Not sure how to do that.

PIX-515E - Reason 412: the remote peer is no longer responding...

Hi,
I am unable to VPN to my network from outside using cisco VPN client to PIX-515E.
When I try it say:
Reason 412: the remote peer is no longer responding...
From inside everything work ok, I can connect... (same computer, same settings...)
Maybe the problem is not in PIX??
Few days ago I upgrade FWSM from 3.1.x to
FWSM Firewall Version 4.1(9)
Device Manager Version 6.2(2)F
Can this upgrade cause problem???
I compare running conf: and I notice this new commands:
service reset no-connection
no service reset connection marked-for-deletion
I try with opposite:
no service reset no-connection
service reset connection marked-for-deletion
but still I cannot VPN....
Any advice?
THX,
Ivan

Problem solved...
as usual I cause the problem instead of 8 i wrote 3... i was checking that IP address several time but didn't see
now when I was preparing to put running config online and replacing ip address ... something jump into my eye....
So thnx Jennifer :-)

IPS 4240 Blocking Questions with Pix 515E

Similar Messages

Maybe you are looking for