IPS 4255 with 6509/FWSM

Similar Messages

• IPS 4270 with 6509 VSS in Promiscous mode

  Dear all,
  I am trying to figure out how to configure 2x IPS 4270 in promiscous mode with Cisco 6509 VSS:
  I have attached the LLD core datacenter design including the IPS physical placement in my network.
  The following points are my concerns in this design:
  Shall I connect each of the IPS 4270's into VSS Chassis A and B, or I keep each IPS connected to different Chassis? (considering the SPAN port configuration on VSS and if I could encounted Asymmetric routing issue or not).
  Can I use Etherchannel in either case (keep in mind it's promiscous mode), that means the destination interface on the VSS will be an Etherchannel interface, but does the Cisco IPS 4270 support Etherchannel while in promiscous mode?
  I really appreciate your input on this matter guys.
  Cheers
  Mohammed Khair

  Hi,
  1.You can Connect the each IPS into Chasis A and B  That is Not  aproblem .But While Configuring the RSPAN Monitor From A to B and B to A should monitor the both vlans ( i mean RSAPN A and B also vice versa in your config then it will give both out put even connectivity between IPs and chasisi one fails also)
  2.IPS Supports the Etherchannel while in promiscous mode as well.

• TCP flow get slower with IPS 4255 5.1(3) in inline mode

  I have an IPS 4255 with 5.1(3).
  The logical setup is the following:
  Internet
  |
  ServerA --- IPS --- PIX --- IPS --- ServerB
  The physical setup is the following:
  ServerA --- SwitchA --- IPS --- SwitchB --- PIX --- Internet
  ServerB ---/
  (ServerA and ServerB are in different DMZs -> in different VLAN-s)
  My goal is to protect many segments by one inline IPS, therefore the connection
  between SwitchA and SwitchB is an ethernet trunk (for performance reasons this is
  an etherchannel trunk (load sharing is src-dst-ip)).
  The problem is that ServerA and ServerB have to communicate, and this is done via the PIX.
  The communication is very slow and there are many fired TCP Drop and TCP normalization related
  signatures. When the IPS is in bypass on mode or one of ther server segment is not watched by the
  IPS the communcation speed is ok. I think the speed degradation is because every packet between ServerA and
  ServerB travels through the IPS twice. It seems to me that altough they are in seperate VLANs the IPS can not handle
  them.
  Has someone idea how to solve this issue?

  Hello,
  The traffic is about 1-2 megabit/sec through the IPS, so this does not count.
  I tried to use the norandomseq but it does not help.(Is it ok that the norandomseq does not appear in the configuration? - I used in this form: nat (APPL) 0 access-list ACL_NONAT_APPL norandomseq).
  I switched off all of the signatures except the normalizers. I switched them just to produce alert and verbose alert no to drop or modify packet.
  The two relevant server are Takson (172.31.5.1) and Keve (172.31.6.1)
  The alarms are attached. I see that there is alarm between them :TCP session tracking stopped due to timeout
  It seems to me very strange.
  Akos

• Events are not showing in vms 2.3 for IPS 4255 sensor

  Hi,
  I am having IPS 4255 with version 5.1, we installed the vms 2.3 with cisco common services, IPSMC,SecMon and cisco view. Unable to see the events in event viewer which is in secure monitor and it is showing status as TLS is connected in the device column. Please help us to resolve the issue.
  Thanks in advance,
  Regards,
  Ram

  run "sh events" on the sensor to make sure that they are arriving to the event server. check the span session is capturing data from the network with "packet display etc"

• IPS 4255 doesn't detect a Nessus vulnerability scan..

  We tested Nessus against our legal IP range, and although the firewalls see the connections and happily deny then, the IPS 4255's (two, in series, running 7.1.6 and 7.0.7 E4 respectively) aren't logging anything on the source IP, not even in the info / low logs.
  Is this a consequence of Nessus being very clever, or is there an issue with the scanning thresholds? These are currently set to 100
  Gareth

  Hello Gareth,
  Can you let me know if this signatures are enabled:
  3001/1
  4003/0
  3001/0
  In fact have some fun with the entire link and check those signatures ( I have done the search and copy the link for you) , those should be able to detect that traffic ASAP
  http://tools.cisco.com/security/center/ipshome.x?keyword=Port+Sweep&selectedCriteria=E&dateRange=All&searchType=Basic&Signature+ID=false&Signature+Name=false&Latest+Release+Date=false&Alarm+Severity=false&Release=false&Original+Release=true&Original+Release+Date=true&Default+Enabled=true&Default+Retired=true&Fidelity=true&itemsPerPage=20&currentPage=1&pageSize=20&sortOrder=d&lastUpSortOrder=d&sortType=date&PAGE_START=&i=62&shortna=&searchFlag=Basic#
  Remember to rate any of the helpful posts
  Regards
  Julio Carvajal

• How can i password recovery of IPS 4255?

  Hi everyone.
  How do  password recovery of IPS 4255?

  Here is the procedure to perform password recovery on IPS 4200 series:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_troubleshooting.html#wp1139598
  Hope this helps.

• Regarding IPS 4255

  Hi,
  i want to know that IPS 4255 supports these featurs or not
  features are as followes
  1. protect from Common gateway attack
  2.protect from Buffer Overflow attack
  3.protect from remote procedure call attack
  4. provide Protocol Parsing detection ,Heuristic detection
  If it support then plz tell me how to check these features in IPS 4255
  Please reply as soon as possible .
  Thanks
  Jayesh

  yes if configured properly and if the attack has triggered a IPS signature (custom or cisco).
  it is all in the IPS software and not the hardware. the hardware is a factor on how much traffic it can analyze not whether it can block/prevent traffic (atleast not now).
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps9157/product_data_sheet09186a008014873c_ps4077_Products_Data_Sheet.html

• IPS mode with IDSM-2 module on Cat6K

  Hi,
  I have installed the IDSM-2 module on the Catalyst 6509 switch, now I was refering to the configuration guide for IPS 6.0 there are multiple modes I can configure like inline, inline vlan pair, Promiscuous & vlan group mode.. so I'm thinking which one would be the best solution...
  The catalyst 6509 is acting as the CORE/Distribution with multiple Vlan's (around 20 vlans) configured, and customer wants the IPS to be deployed in such a way that it covers the traffic from all the vlans..
  Also note that there is a redundant Cat6509 switch which also has got the IDSM-2 module installed, so can these both IDSM-2 modules be installed in active/standby or active/active combination...
  can someone through some lights on the same please...
  Regards
  Vijay.

  A sensor can enter bypass mode for several reasons, including, but not limited to:
  1) Analysis Engine reconfiguration
  2) Global  Correlation updates
  3) Daily Signature DB self purg
  4) sensorApp failure
  Most of these reasons are benign. I have written Supportability Enhancement CSCtg69012 so that each bypass log will show the reason for entering bypass mode.
  The bug is available via the CCO Bug Toolkit: http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs.
  You may review the bug and click on the "Save Bug" button at the bottom of the page to receive email updates as changes are made to the bug's state.
  To fully diagnose your issue, I suggest opening a TAC case where we will request a "show tech," including debug level logs. This will allow us to see what is triggering the sensor to enter bypass mode.
  Thank you,
  Blayne Dreier
  Cisco TAC IDS Team
  **Please check out our Podcast**
  TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

• 4 security level with 2 FWSM contexts

  Hello,
  I have to implement a DC with two 6509, ACE and FWMS with only a default license for 2 VFW.
  But the problem I have, is that I have 4 separate networks where I like to give a different security level.
  I'm using the FWSM in transparent mode.
  Any idea ? about using VRF ? ACE or something else ?
  Suggestions will be appreciated.
  Regards,
  Omar

  Hello Omar,
  Although I'm not familiar with the ACE blade we do run 2 X 6509s with FWSMs.
  In your case you could connect your 4 networks to a single context (VFW) since the max network connections per context is 8. You would create 4 BVIs (Bridge Virtual Interfaces.) Security levels in FWSMs don't have much meaning since you are required to specifically allow traffic to pass through the context regardless of which side of the BVI it comes from. By default no traffic flows at all. All traffic is filtered with ACLs.
  You could also create a VRF on the 6509 that could act as a central or core routing point for your networks. (We do this for 18 separate contexts and call it the fusion VRF.) However you would only use a VRF if you wanted to keep the routing table isolated from the global table running on the 6509's.
  Otherwise this is unnecessary.
  If you chose to run the FWSMs in multiple context mode you could have two networks per context, still connect them to a fusion VRF, and also run an Active/Active FWSM configuration which allows you to do a type of load sharing along with failover. One context is active and one context is standby on FWSM A and on FWSM B the roles reverse. This shares active traffic across the FWSM blades.
  Hope this brief description is helpful for you.
  Simon

• Problem with Failover FWSM (With Multiple Context)

  Dear All,
  I have 2 Catalyst 6500 with FWSM module, the catalyst and FWSM is redudant. FWSM with multiple context.
  i had done with catalyst 6500, but when i try to add (Admin -> Security and Monitor Devices) module with fwsm context is always error.
  i add this context in the active context.
  this is the error message when i try to add fwsm on mars.
  The first one;
  expect: spawn id exp3 not open
  while executing
  "expect -nobrace {<--- More --->} {
  send_user "\n"
  send -- " "
  exp_continue
  } {assword: } {
  s..."
  invoked from within
  "expect {
  "<--- More --->" {
  send_user "\n"
  send -- " "
  exp_continue
  "assword: " {
  (file "./sshpix7x.exp" line 105)
  st_key
  the second:
  invoked from within
  "expect {
  "<--- More --->" {
  send_user "\n"
  send -- " "
  exp_continue
  "assword: " {
  (file "./sshpix7x.exp" line 105)
  st_key
  and sometime:
  spawn ssh -c 3des -l siem-mars 10.x.x.x
  Connection timed out
  For Information :
  The FWSM Firewall Version 4.0(6)
  and,
  CSMAERS-200
  Product Version               :    6.0.6 ( 3368 )
  Data Package Version     :     35
  IPS Signature Version     :     454
  IPS Custom Signature Version     :     0
  Anyone can help me please...
  Thanks b4,
  Best Regards,
  Naga

  Hi Teck Yong Ng,
  I am not sure about your problem, but normally what happens when we install two databases on the same host is there will be conflict between the ports connecting to the database.
  In your case the second system database might also have the same port number which you have for the first system.that is why i think you are facing this issue.
  Try to look at the port numbers.
  Regards,
  Bharath Kumar.K
  Message was edited by:
          Bharath Kumar K

• SW-6509-FWSM failover Troubleshooting First aid

  Fault Description：
  （1）
  active  FWSM and standby FWSM  inside interface Between，ping fails。
  on side FWSM---active： ping 172.17.1.50 -------OK，ping 172.17.1.49------ping fails；
  on side FWSM---standby： ping 172.17.1.49--------OK，ping 172.17.1.50-------ping fails；
  but,active  FWSM and standby FWSM  outside interface between，ping OK。
  on side FWSM---active：ping 172.17.1.36  、  ping 172.17.1.37、ping 172.17.1.35/33/34/、ping www.baidu.com -----------All OK；
  on side FWSM---standby：ping 172.17.1.36 、  ping 172.17.1.37 、ping 172.17.1.35/33/34/、ping www.baidu.com-----------All OK；
  （2）
  Another problem：
  active  FWSM and standby FWSM  inside interface，ping  7706-------All fails。
  Summary：May be caused fwsm。
  Topology ：Attachment
  FWSM :
  FWSM#                       show failover state
  ====My State===
  Primary | Active |
  ====Other State===
  Secondary | Standby |
  ====Configuration State===
      Interface config Syncing - STANDBY
      Sync Done
  ====Communication State===
      Mac set
  =========Failed Reason==============
  My Fail Reason:
      Ifc Failure
  Other Fail Reason:
      Comm Failure
  FWSM# show failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: lan Vlan 997 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 15 seconds
  Interface Policy 50%
  Monitored Interfaces 42 of 250 maximum
  Config sync: active
  Version: Ours 4.0(13), Mate 4.0(13)
  Last Failover at: 19:08:24 Beijing Dec 2 2013
      This host: Primary - Active
          Active time: 358944 (sec)
      Interface outside (172.17.1.36): Normal
      Interface inside (172.17.1.49): Normal (Not-Monitored)
      Other host: Secondary - Standby Ready
          Active time: 0 (sec)
      Interface outside (172.17.1.37): Normal
      Interface inside (172.17.1.50): Normal (Not-Monitored)
  (Not-Monitored) -----------------??????

  That's what I thought but the again, from the 6500 config prompt I actually get echo replys(!) from the FWCTX, with capture enabled as:
       access-list CAP permit ip any any
       capture mgmt access-list CAP interface MGMT packet-length 1500 circular-buffer
  But it shows blank and no hit counts. Same happens usind RTMonitor in ASDM (6.2.(2f)) some packets that are permited and routed correctly aren't actually noticed. I don't get any logging for the missing/dropped/denied echo replies from the FWCTX to the 6500 MSFC nor for the successful replies from the 6500 to the FWCTX withh ASDM Debugging logging on.

• IPS repositories with "conflicting attributes"

  Is there a way to loosen restrictions for directory permissions/ownership for packages from external IPS repositories? It seems that system directory group ownership changed at some point.
  For example:
  $pfexec pkg install MBLmplayer
  Creating Plan /
  pkg install: The requested change to the system attempts to install multiple actions
  for dir 'usr/lib/pkgconfig' with conflicting attributes:
  2 packages deliver 'dir group=bin mode=0755 owner=root path=usr/lib/pkgconfig':
  pkg://Multimedia2/[email protected],5.11:20100204T001101Z
  pkg://Multimedia2/MBLx264@20100125,5.11:20100204T025624Z
  190 packages deliver 'dir group=other mode=0755 owner=root path=usr/lib/pkgconfig', including:
  pkg://solaris/codec/[email protected],5.11-0.160:20110228T155222Z
  pkg://solaris/codec/[email protected],5.11-0.160:20110228T155229Z
  pkg://solaris/codec/[email protected],5.11-0.160:20110228T155234Z
  pkg://solaris/codec/[email protected],5.11-0.160:20110228T155243Z
  pkg://solaris/communication/im/[email protected],5.11-0.160:20110228T155329Z
  ......and so on.....

  No, the permissions must be consistent, otherwise the system can be unstable. A workaround is to pkgrecv the packages into a local area using the "--raw" option, edit the manifests to have the correct permissions, and then republish to a local repository from which you can do the install. The alternative is to get the original IPS repository author to fix the permissions.
  __ Alan

• IPS system with 20 Gb eth ports

  Hello,
  I'm just trying to find a product that meeting the specs I've been handed. One of the issues I'm running into is finding an IPS with 20 Gb Ethernet ports on it. Does anyone have a suggestion?
  TIA.

  The interface standard speeds are 1, 10 and 40 Gb/s. I;m not aware of any interfaces that run at 20Gb/s.
  If you're looking for an IPS sensor that can process 20 Gb/s of traffic:
  SourceFire has the 3D8260 (their clusters run 20, 30 and 40 Gb/s)
  McAfee is releasing a new line this summer but I can't remember the model number off hand.
  Alternately you can statefully load balance across several sensors (clustering).
  You will soon discover going fast is damn expensive.
  - Bob

• Deny some ips internet with SRW2024

  hi, is it possible to deny internet to some ips with acl from SRW2024 .
  if so, i would like a litle help, being killing my head with this and didnt find anything.
  regards

  Yes. You can do that depending on how you define "internet". It also depends on the port assignments. If you want to do the filtering on a port with a mixed of blocked and non-blocked IP addresses (i.e. you have connected another switch to this port and some of the IP addresses to be blocked are connected there) it gets more complicated.
  You could setup an ACL with rules allowing all traffic from those IP addresses into the LAN. Add a deny all rule at the end. Assign this ACL to a port connected with a devices to be blocked.
  For instance, if your LAN is 10.0.0.0/255.255.255.0 you set up an ACL with two rules:
  1. permit traffic with destination IP address 10.0.0.0 and wildcard mask 0.0.0.255
  2. deny all traffic (i.e. a rule with no definition of source or destination IP address).
  Assign this ACL to all ports on which you want to block internet.

• Port Channel 5548 with 6509

  My company just purchased a Nexus 5548.  I've been fooling around with the configurations and just getting familiar with this equipment.  I've already configured a port channel using 2 10gig ports on our 3850 and its working fine.
  Now, I'm trying to configure a second port channel with our 6509 1gig ports. Ports comes up. But I cannot communicate between these 2 devices.
  Show CDP Neigh shows the other devices. Show Etherchannel summary is blank
  This is the config on the 6509
  interface Port-channel22
   switchport
   switchport trunk encapsulation dot1q
   switchport mode trunk
  interface GigabitEthernet9/7
    switchport
   switchport trunk encapsulation dot1q
   switchport mode trunk
   channel-group 22 mode on (I also tried using Active and desirable)
  Config on 5548
  Inteface Port-Channel 2
  switchport
   switchport mode trunk
   speed 1000
  interface ethernet1/32
   switchport mode trunk
   speed 1000
   channel-group 22 mode on
  I also have feature Lacp , interface vlan and vlan dot1q tag native enabled
  Any ideas why I cannot communicate between these devices? 

  This is what is showing on the 5548
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-SPEED: Interface Ethernet1/32, operat
  ional speed changed to 1 Gbps
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_DUPLEX: Interface Ethernet1/32, op
  erational duplex mode changed to Full
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_RX_FLOW_CONTROL: Interface Etherne
  t1/32, operational Receive Flow Control state changed to off
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_TX_FLOW_CONTROL: Interface Etherne
  t1/32, operational Transmit Flow Control state changed to off
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-SPEED: Interface port-channel2, opera
  tional speed changed to 1 Gbps
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_DUPLEX: Interface port-channel2, o
  perational duplex mode changed to Full
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_RX_FLOW_CONTROL: Interface port-ch
  annel2, operational Receive Flow Control state changed to off
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_TX_FLOW_CONTROL: Interface port-ch
  annel2, operational Transmit Flow Control state changed to off
  2015 Mar 18 08:18:09 DC-5548-01 %ETH_PORT_CHANNEL-5-PORT_UP: port-channel2: Ethe
  rnet1/32 is up
  2015 Mar 18 08:18:09 DC-5548-01 %ETH_PORT_CHANNEL-5-FOP_CHANGED: port-channel2:
  first operational port changed from none to Ethernet1/32
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_UP: Interface Ethernet1/32 is up i
  n mode trunk
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_UP: Interface port-channel2 is up
  in mode trunk
  My 6509 does not show anything. Now when I do  a show etherchannel summary on the 6509, the protocol is lacp.