IPS on an 1841 vs 3825

I am new to IPS applications and was wondering if there was any difference in the IPS software I have installed on my 1841 router vs the IPS software on a 3825 router I am looking into purchasing. On the 1841 I am using the IOS c1841-advsecurityk9-mz.124-21.bin and on the 3825 c3825-advsecurityk9-mz.124-3j.bin

The functionality of the IPS software and the signature selection is the same between those two platforms. But IPS processing takes a toll on both CPU and memory. The 3825 will have more of these resources available and could handle a larger amount of traffic as a result.

Similar Messages

1841 IOS IPS online updates

Hi,
Can we configure 1841 IOS IPS to get automatic signature updates directly from cisco site. I know we can do it in other firewalls like sonicwall, fortigate, etc.
Regards
Siva K

Hi Siva,
Yes you can do it from the Cisco Security Manager , or you can try
Automatic Signature Update Guidelines
When enabling automatic signature updates, it is recommended that you ensure
the following configuration guidelines have been met:
* The router's clock is set up with the proper relative time.
*The frequency for Cisco IOS IPS to obtain updated signature information has
been defined.
*The URL in which to retrieve the Cisco IOS IPS signature configuration files
has been specified.
*Optionally, the username and password for which to access the files from the
server have been specified.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip ips auto-update
4. occur-at min:hour date day
5. username name password password
6. url url
7. exit
8. show ip ips auto-update
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1079125
regards
Yesua

2 ISPs with addresses /32 and PPtP Server onboard of Cisco 3825

First of all, excuse me for my bad English, it's not my native language.
A couple of years ago our company changed our central router Cisco 1841 with more powerfull 3825 ISR.
Here is show ver
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 12.4(24)T7
This Cisco 3825 contains 2 DIMMs - 256Mb and 512 Mb of RAM onboard.
Now it works with 2 ISPs (take a glance on pdf picture http://www.intelcom-ug.ru/scheme.pdf or in the attached file). We're using the failover scheme, the ISP1 with statically assigned IP address 85.20.20.20/32 (Dialer 1) is used as Backup link. The ISP2 L2TP link is main.
Now our authorities organize the remote office with Cisco 1841. And we face with the problem, we cannot connect via PPtP from anywhere to the 85.20.20.20/32 (Dialer 1). And we need some help or advise. The config of Cisco 3825 is like this:
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime
service password-encryption
hostname CENTRAL-OFFICE
boot-start-marker
warm-reboot
boot-end-marker
security authentication failure rate 3 log
logging message-counter syslog
logging buffered 64000
enable secret 5 HEREISTHESECRETPASSWORD
aaa new-model
aaa local authentication attempts max-fail 3
aaa authentication login default local
aaa authentication ppp default local
aaa authentication ppp vpn-users local
aaa authorization exec default local
aaa authorization exec vpn-users local
aaa authorization network vpn-users local
aaa session-id common
clock timezone MSK 4
ip source-route
no ip gratuitous-arps
ip cef
no ip domain lookup
ip domain name somewhere.net
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 239
accept-dialin
protocol pptp
virtual-template 100
vpdn-group global
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
password encryption aes
voice-card 0
username administrator privilege 15 password 7 737364645252414571
username vpnuser password 7 85956353413120384645373930
archive
log config
hidekeys
ip tcp selective-ack
ip tcp timestamp
ip tcp synwait-time 5
ip tcp path-mtu-discovery
ip ssh version 2
l2tp-class beeline
pseudowire-class pw-beeline
encapsulation l2tpv2
protocol l2tpv2 beeline
buffers tune automatic
interface Loopback0
ip address 10.111.111.111 255.255.255.255
interface GigabitEthernet0/0
descrition --Our Local Network--
ip address 192.168.7.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
description --Trunk Connection--
no ip address
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1.10
description --Connection to ISP1 through vlan on our managed switch--
encapsulation dot1Q 10
pppoe enable group global
pppoe-client dial-pool-number 2
interface GigabitEthernet0/1.20
description --Connection to ISP2 through vlan on our managed switch--
encapsulation dot1Q 20
ip address dhcp
ip virtual-reassembly
interface Virtual-PPP5
description --Interface for ISP2--
ip address negotiated
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1380
no peer neighbor-route
no cdp enable
ppp authentication chap callin
ppp chap hostname 8282828282828
ppp chap password 7 theSecretForISP2
pseudowire 10.255.255.242 10 pw-class pw-beeline
interface Virtual-Template100
description --TEMPLATE for incoming PPtP connections of our users--
ip unnumbered Dialer1
autodetect encapsulation ppp
peer default ip address pool for-vpn
no keepalive
ppp authentication ms-chap ms-chap-v2 vpn-users
ppp authorization vpn-users
interface Dialer1
description --Interface for ISP1. PPPoE--
bandwidth 10240
ip address negotiated
ip accounting output-packets
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1400
load-interval 30
dialer pool 2
dialer-group 2
no fair-queue
ppp authentication chap callin
ppp pap sent-username reteretere password 7 PasswordForISP1
ip local policy route-map External_VPN
ip local pool for-vpn 172.16.135.1 172.16.135.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 100 track 1
ip route 0.0.0.0 0.0.0.0 Virtual-PPP5 track 2
ip route 192.168.239.0 255.255.255.0 172.16.135.1 name C1841-Rossiyskaya70
ip route 194.87.0.8 255.255.255.255 Dialer1
ip route 194.87.0.9 255.255.255.255 Virtual-PPP5
ip route 10.255.255.242 255.255.255.255 dhcp
ip route 10.255.255.247 255.255.255.255 dhcp
no ip http server
no ip http secure-server
ip nat inside source route-map Beeline interface Virtual-PPP5 overload
ip nat inside source route-map UTK interface Dialer1 overload
! This access-list is for local Network proxy
ip access-list standard fwd-squid
permit 192.168.7.100
permit 192.168.7.0 0.0.0.255
! This access-list is for ip local policy
ip access-list extended External_VPN_access
permit tcp host 85.20.20.20 eq 1723 any
permit tcp host 85.20.20.20 eq 22 any
permit tcp host 85.20.20.20 eq telnet any
permit icmp host 85.20.20.20 any echo-reply
track 1 ip sla 1 reachability
ip sla 1
icmp-echo 194.87.0.8 source-interface Dialer1
timeout 7000
threshold 100
frequency 15
ip sla schedule 1 life forever start-time now
ip sla reaction-configuration 1 react timeout threshold-type immediate action-type triggerOnly
track 2 ip sla 2 reachability
ip sla 2
icmp-echo 194.87.0.9 source-interface Virtual-PPP5
timeout 7000
threshold 400
frequency 15
ip sla schedule 2 life forever start-time now
ip sla reaction-configuration 2 react timeout threshold-type immediate action-type triggerOnly
access-list 1 remark --SNMP Watching--
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 100 permit ip 192.168.7.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
dialer-list 3 protocol ip permit
route-map External_VPN permit 10
match ip address External_VPN_access
set default interface Dialer1
route-map UTK permit 10
match ip address 100
match interface Dialer1
route-map Beeline permit 10
match ip address 100
match interface Virtual-PPP5
snmp-server community public RO 1
control-plane
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
line vty 5 15
exception memory ignore overflow processor
exception memory ignore overflow io
scheduler allocate 20000 1000
ntp update-calendar
ntp peer 194.33.84.1
event manager applet nat_clear_isp1
event track 1 state any
action 1 wait 5
action 2 cli command "enable"
action 3 cli command "clear ip nat translation *"
event manager applet nat_clear_isp2
event track 2 state any
action 1 wait 5
action 2 cli command "enable"
action 3 cli command "clear ip nat translation *"
end

Okay, you are not going to be able to do this using the interconnect between the switch and the router. The issue is -
1) if you make the interconnect a L2 trunk then you would have subinterfaces on the router interface connecting to the switch. But you cannot have multiple interfaces on the router configured from the same IP range so it won't work ie. you would need a subinterface using the same IP range as one of the other interfaces
2) if you make the interconnect L3 as you have then you cannot route to the same subnet ie. think of it as two separate devices, a L3 switch and a router. You connect the L3 switch to the router using a L3 connection.
On the switch you then configure a client with a public IP and on another interface on the router ie. not the interface used to connect to the switch, you use the same public IP range.
You cannot then route from the client to that other interface because you don't route to the same IP subnet and the client and the other interface are separated by a different IP subnet.
So neither will work. The L3 switch is usually used where you have multiple vlans/IP subnets and you create L3 vlan interfaces for these on the switch and then you route to other subnets that are reachable from the router, whether these are directly connected subnets or remote networks.
But you aren't doing that.
The only way i could see you doing what you need is to not configure the interconnect at all and instead run cables from the relevant router interfaces to the switch. Then you could configure vlans on the switch and have them route via the physical router interface.
The switch is then only acting as a L2 switch and all L3 is done on the router.
One thing i should say is i have never used the switch module this way so i can't guarantee it will work although i can't see why it wouldn't.
Jon

Solution on IPS Placement

Dear Pros,
Project explanation:
Pair of pix firewall configured as failover.The outside of the pix pair connected to the internet gateway router 3825.Inside of the pix pair connected to the core switch ports configured with the vlan.The configuration as below
Outside : 192.168.102.0
Active pix out: 192.168.102.2
Sec.Pix out : 192.168.102.3
3825 Gieth : 192.168.102.1
Inside PIX : 192.168.101.0
Active pix in : 192.168.101.2
Sec.PIX IN : 192.168.101.3
Core SVI in : 192.168.101.1 (Gway for the vlan)
Now i decided to connect the ips 4240 in inline ips mode by connecting ips's outside to the pix inside segment and ips
inside to the core switch 4510R vlan interface that has been priviously connected to the pix inside segment.
I have 5 vlans inside the core 4510R created with 172.16.16.0/24,172.16.17.0/24,172.16.18.0/24....
I already configured the ips 4240 with 2 infs pairs and assigned to the sensin engines.I need to know
the other steps to configure to allow the traffic inline thro the ips.Also i want to know the blocking concept and here
do we need to configure the blocking for the 5 inside networks?
Please give me the solution details.
Thanks
swamy

Based on your scenario, pls have a look at the logical and physical connectivity of your devices.
This is due to the devices limitations, especially the switch where you only have 1 x Cat4510R available. Therefore, you need to host all connection to this switch to cater for IPS - Firewall connectivity.
This design is to allow you to filter traffic from Internet coming into your Internal network and vice-versa.
Basically, you need to have 2 x Layer 2 Vlans on your Cat4510R switch, for (example):
- Vlan 102 - host router interface, IPS and PIX Outside interfaces
- VLan 11 - host PIX inside interfaces and IPS
Maintain the existing Vlan with interface IP of 192.168.102.1, which was shared with PIX Inside interfaces IPs as well.
I have implemented similar setup, and it works fine.
As for your blocking concept, you need to use ACL to permit/deny who/ports, and apply it relevant Vlan interfaces.
Hope this works. Pls rate all useful post(s).
AK

IPS 4240 ATTACK DETAILS

Dear All,
The following is the attack detaisl i received from the customer. Before contact cisco i posted here for your answers.
Date= 2007/02/16
Time= 22:44:13 Arab Standard Time
SIGID= 5081:0
5326:0
SIGNAME= WWW WinNT cmd.exe Access
Root.exe access
Victime= 192.168.100.1
AttackerAddress= 214.139.200.1
Please how can i solve this issue .
swamy

Edward,
Thanks for your info. I will contact the customer and dscuss those things.
Also i want to know the following on IPS in-line
setup.
1.IPS Connected behind the firewall pix 525 in in-line mode. Interface pair was created and 2 interfaces are made members of the pair. I assigned the pair to the engine.Here i did not do anything tuning on signatue configuration. All the sig are enabled as default. As soon as the ips placed in the network in in-line it stop thenetwork to go out when i put in bypass mode then working. PLease could you give the basic config to make the IPS working in in-line mode. Inside the network is the one with 3 networks (192.168.100.0, 101.0, 102.0)
ips inside interface sits in 192.168.100.0 network then other 2 networs are in 2 vlans of the core switch 4507R.IPS outside interface in line with pix firewall failover pair. Firewal pair outside connect to the internet router 3825 to the internet using ADSL.
I want to know how to choose the sigs those are only required for the internal networks also.
Waiting for your reply
Thanks in advance
swamy

Cisco Router 1841,2911

Does Cisco router 1841 or 2911 or any other model routers has default IP or not

If I understand your question correctly; no, there are no IPs configured by default.

IOS IPS troubleshooting

Hi all,
I am enabling the IPS functionality on a 3825 router with IOS 12.4(3d). The problem is that when I enable the IPS (inbound direction of the router's ethernet interface) I start having connectivity problems with some applications even with all the signatures on alert (not to drop traffic).
Is there a debug or some troubleshooting that I can use in order to verify why the IPS is dropping some of the traffic?
Also I have read that when you enable the IPS functionality the router automatically activates de inspect engine and in consequence it will drop out-of-order packets and half open connections, is this correct?
Regards.

Thanks Chris,
I will try the IOS upgrade to see if that helps me to solve the issue, by the way I am still looking for some debugs or troubleshooting commands that help me to verify that the IPS (and inspect engine) is dropping the packets. Do you know some commands or debugs that can help me?
Regards.

Using blocking on our IPS Sensor

I currently have a Cisco IPS 4240 employed inline in my Customers Network. It is inside of the border Router, and in front of the Outside Firewall which protects the DMZ.
the IPS is already configured to block certain types of packets inline. I was reading about blocking and the ability of the IPS Sensor to not only manage other devices (both our border router which is a 3825 and our ASA which is a 5520) are capable of being managed for blocking purposes).
Can someone give me a practical example of why I might want to configure either the border router or the ASA to block for the Sensor?
Thanks

That's a good answer. My customer does not have any devices between the border router and the IPS, so perhaps we do not need to use any blocking... what about blocking things coming from inside networks? We have a DMZ that is separated by ASA's on both sides, and both of these are inside of the IPS unit?

Setting static leases through DHCP (1841)

Interested in how to set up static leases through my DHCP pool on a Cisco 1841.
The DHCP pool is currently set as 14.18.16.0, sharing 14.18.16.20-120 with the submask of 255.255.255.0.
I'd like to have x clients with specific IPs (based on their MAC?), the leases should never expire.
Thanks in advance.

You need to capture user MAC address to configure STATIC DHCP Mapping. IMO this is provided for users who want to get the same IP Address but too lazy to hardcode (manually configure in their PC interface) it in their PC :)
Here is the link how to do it http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gtdhcpsm.html
Watch out when user change PC, some users (though with NO disability) expect the IP Address to follow them when they change PC :)

Cisco IOS IPS in Cisco 2921/k9 router

Hi All,
I have a router of Cisco 2921 series (C2921/K9) basic box with IP BAse IOS image (SL-29-IPB-K9 IOS). I would like to enable IOS Level IPS feature on this Router now. Based on the Cisco Document i have found i need to purchase an additonal subscripton license to enale the IPS feature. My querry is-
Will it support on the Basic IP Base IOS or do i need to change the IOS?
If i need to purchase the Subscription Licesne, how can i get the part number and cost for the same?
Do i need to buy any addtional module for this like (NME-IPS-K9) ?
Thanks in advance for your quick support
regards
Sunny

Hi Sunny
1. Yes you can enable IPS on IOS with the security license, without buying a subscription, but this would make little sense - new signatures are being released all the time so you would not be protected from recently discovered vulnerabilities/attacks.
2. Correct, the modules and appliances run a different kind of software and are much more powerful
3. If you add the module, you do NOT need the security license. It would still be advised to get a subscription license to get signature updates for the module.
I hope this helps, let us know.
regards
Herbert
jacob.samuel wrote:Dear Herbert,Thanks alot for the wonderful post. It clear most of my doubts. Still i kindly need to know few more points-1) Cant we enable IPS Feature on 2921/K9 router (with Sec license or 2921Sec/K9 bundle) without signature subscription license (is it a must? it is for getting updates of signatures and for support only, right?)2) I came to know from a distributor pre-sales engineer that the Cisco IOS Level Intrusion Protection is not going to provide the full feature of IPS like NME module or IPS Applinace. Is that right?3) If i add NME-IPS-K9 Module to my 2921 Router, without enabling Sec License, can i enable IPS feature on the Router. Or is it a must that i need to buy Sec License (SL-29-SEC-K9)?Attaching the Datasheet of NME-IPS-K9 module (Page num 5 above Table 3) mentione as follows-Cisco IOS Software Feature Sets and ReleaseTable 3 lists the required Cisco IOS feature sets and releases for Cisco IPS AIM and IPS NME on the Cisco 1841,
2800 and 3800 series Integrated Services Routers Note that, IPS NME on the Cisco 2900 and 3900 Integrated
Services Routers does not require a Security Feature license.
In that case if i buy a module i can install it on the 2921K9 box directly and can enable the IPS feature right? I dont need any License and additonal signature subscription here to enable the IPS feature (if i dont need signature updates and support) right?
thanks alot for the support.
regards
Sunny

IPS router 3900

hi, i need help..., is that the IPS in Cisco 3900 series routers is integrated on IOS or it's still a module.

Hi ,
Its support both IPS module and cisco IOS IPS , but IOS module has got limited function
Look into below link for more information
http://www.cisco.com/c/en/us/products/collateral/routers/1841-integrated-services-router-isr/prod_qas0900aecd806c4e3c.html
What are the differences between the Cisco IPS modules and Cisco IOS IPS?
A. Following are some of the major differences between the Cisco IPS AIM and IPS NME and Cisco IOS IPS:
• Cisco IPS AIM and IPS NME have dedicated CPU and DRAM to offload IPS processing, whereas Cisco IOS IPS shares router resources with other processes.
• Cisco IPS AIM and IPS NME support both inline and promiscuous mode, whereas Cisco IOS IPS supports only inline mode.
• Cisco IPS AIM and IPS NME can support all Cisco IPS signatures that are not retired by default, whereas Cisco IOS IPS can support only a user configurable subset.
• Cisco IPS AIM and IPS NME run Linux-based Cisco IPS Sensor Software, whereas Cisco IOS IPS runs a Cisco IOS Software-based IPS code.
HTH
Sandy

1841 ISR Backup/Load Balancing

Hi All,
I'm about to purchase an 1841 ISR with a HWIC-4ESW (4port switch). On each of the two built in F/E ports i'm going to put a DSL link with static IPs from different ISPs. Can I set up F/E 1 to perform backup/load balancing for F/E 0? Will basic EIGPR routing work in this senario?
Thanks in advance,
Don

Hi
HWIC-4ESW acts as normal switch ports which is available in the switches.
you wont be able to assign ips to the F/E ports instead you can create SVIs and have them assigned with the ips.
Also when it comes to loadbalancing you can have 2 equal cost routes which takes care of that but if you want to have redundancy then better consider to make use of tracking feature since the F/E port will remain up though you have some probs with the line.
In this case with 2 equal cost routes the traffic thru the faulty link will be blackholed(dropped).
regds

Problems with adding IOS IPS to IPS MC

Hi,
We are having problems in adding Cisco IOS IPS (Running on Cisco 1701,12.3(14)T2) into IPS-MC (Version: 2.1.0).
The IPS MC is able to create the Trust Point on the Router and the Router is also able to download the IPS-MC certificate chain. However after that the process fails with the error
++++++++++++++++++++
Import of sensor x.x.x.x failed.
Error : Error importing configuration files from the sensor - Unable to import sensor config from IOS IPS: null
++++++++++++++++++++
Any ideas ?
Thanks \\ Naman

I am having the same issue and open TAC case for several days..with 1841 and 2811's..same software and IOS
It works with advipservices but not with advsecurity

AIM-IPS-K9 License

Hello Guys
I am trying to install AIM-IPS-K9 on my cisco router 1841 . actually I need this only for LAP and practice for the IPS , and I am worry if I will need any License to be able to use the IPS .
Thank you very much in advance for your help

Hello Guys
I am trying to install AIM-IPS-K9 on my cisco router 1841 . actually I need this only for LAP and practice for the IPS , and I am worry if I will need any License to be able to use the IPS .
Thank you very much in advance for your help

AIM-IPS bootloading problem

Hi
I have a problem to initialize AIM-IPS.
I'm thinking it's problem with BOOTLOADER FILE.
ROUTER#service-module ids-Sensor 0/0 session
[Resuming connection 2 to 10.1.9.1 ... ]
ServicesEngine MFG Failsafe boot-loader > show
IP addr: 10.1.9.2
Netmask: 255.255.255.0
TFTP Server: 10.1.9.1
GW IP adr: 10.1.9.1
eth int: octeth1
Number cores: 2
Default boot: disk
MFG Failsafe Bootloader Version: 1.1.7
Failsafe Bootloader File: pse_mfg_failsafe_1.1.7.bin
Default Bootloader File:
MiniKernel: mini_kernel_1.1.7.64.bz2
ServicesEngine MFG Failsafe boot-loader >
I can't find DEFAULT BOOTLOADER FILE on Cisco's site.
In documentation I found informaction:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_obtaining_software.html
Bootloader As needed bl AIM-IPS pse_aim_x.y.z.bin (where x, y, z is the release number)
Can anybody help me ?
Peter

Ok a little more details:
IPS Software: 7.0(4) E4
I removed the zone firewall and all VPN configuration from the router and now have a 1841 with a pretty minimal config.
With only NAT, no firewall, no routing protocols, no IPS - it runs a pretty constant 60Mbits throughput between a inside and outside host (using iperf)
Insert the ids-service-module monitor into either (or both interfaces) and the throughput drops from 60Mbits to 20Mbits.
Interestingly the throughput stays the same even with both FastEthernet interfaces configured for the IPS. i.e. It never drops below 20Mbits.
The router CPU is @ 85% (with and without the IPS enabled)
The IPS module inspection load is constant at about 22%
Any thoughts?
Thanks!!

IPS on an 1841 vs 3825

Similar Messages

Maybe you are looking for