Published 6月 11, 2018 by with 0 comment

CCNP-ISCW-v5.0 Lab 6-4: Configuring IPS with CLI


Lab6-4.net file for Dynamips:

##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 6.4 Configuring IPS with CLI
# By Happy Peter  http://blog.xuite.net/juilin77/happy
#
##################################################

autostart=false
[localhost:7200]
 workingdir = /opt/dynamips/dynagen-0.11.0/UTS/CCNP2/Lab6-4/workingconfig

[[3725]]
# Specify 3725 IOS image on Linux here:
 image = /opt/dynamips/images/c3725-ad.bin
 ram = 256
 idlepc =0x60bf8d58
 mmap = true
 ghostios = true
 confreg = 0x2102

###########################
#
# Define router instances 1
#
###########################
 
[[Router TRUSTED]]
 model = 3725
 console = 2001
 slot1 = NM-4T

[[Router FW]]
 model = 3725
 console = 2002
 slot1 = NM-4T
 s1/0 = TRUSTED s1/0
 s1/1 = UNTRUSTED s1/1

[[Router UNTRUSTED]]
 model = 3725
 console = 2003
 slot1 = NM-4T


Scenario:
In this lab, you will configure the Cisco IOS Intrusion Prevention System (IPS), which is part of the Cisco IOS Firewall feature set.
In this scenario, TRUSTED represents a trusted inside router,
FW represents a router serving as an intrusion prevention router,
and UNTRUSTED represents an untrusted outside router.


Objectives
‧ Configure Cisco IOS IPS on an interface
‧ Disable unwanted IPS signatures
‧ Verify IPS settings


Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
 logging synchronous
 exec-timeout 0 0
!
host *


Step 1: Configure Addressing
TRUSTED(config)#interface serial 1/0
TRUSTED(config-if)#ip address 192.168.12.1 255.255.255.0
TRUSTED(config-if)#clock rate 64000
TRUSTED(config-if)#no shutdown

FW(config)#interface serial 1/0
FW(config-if)#ip address 192.168.12.2 255.255.255.0
FW(config-if)#no shutdown
FW(config)#interface serial 1/1               
FW(config-if)#clock rate 64000                   
FW(config-if)#ip address 192.168.23.2 255.255.255.0
FW(config-if)#no shutdown

UNTRUSTED(config)#interface serial 1/1
UNTRUSTED(config-if)#ip address 192.168.23.3 255.255.255.0
UNTRUSTED(config-if)#no shutdown


Step 2: Configure Static Default Routes
On the TRUSTED and UNTRUSTED routers, configure static default routes directing traffic to unknown destinations to be forwarded to the FW router.
TRUSTED(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2

UNTRUSTED(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2


Step 3: Create and Apply an IPS rule
FW(config)#ip ips name myips

Note:
1. Although it will not be used in this lab, to create an IPS rule that only operates on certain traffic (specified with an access list), you would use the ip ips name name list list command in global configuration mode.
2. In a production environment, you might want to specify an SDF file using the ip ips sdf location location command in global configuration mode, where location is a relative location to the router, such as “flash:128MB.sdf” which indicates that an SDF file in the router’s flash memory named “128MB.sdf” will be used.



FW(config)#interface serial 1/1
FW(config-if)#ip ips myips in
FW(config-if)#
*Mar  1 00:10:46.431: %IPS-6-ENGINE_BUILDS_STARTED:  00:10:46 UTC Mar 1 2002
*Mar  1 00:10:46.435: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*Mar  1 00:10:46.447: %IPS-6-ENGINE_READY: atomic-ip - build time 12 ms - packets for this engine will be scanned
*Mar  1 00:10:46.447: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 16 ms
FW(config-if)#


Step 4: Modify Default IPS Behavior
From UNTRUSTED, ping TRUSTED with a high repeat count.

UNTRUSTED#ping 192.168.12.1 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 4/9/32 ms
UNTRUSTED#


FW#
*Feb 19 09:30:47.323: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req [192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:47.379: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req [192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:47.435: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req [192.168.23.3:0 -> 192.168.12.1:0]
......

Notice the log messages on FW. To disable a signature on a router, use the ip ips signature number disable command in global configuration mode. Signature number 2004 detected the previous potential Internet Control Message Protocol (ICMP) attack indicated in the previous output.
FW(config)# ip ips signature 2004 disable
%IPS Signature 2004:0 is disabled

You do not need a high repeat count because there will be no summary messages (since there will not be any matches to begin with).


Final Configurations
TRUSTED:
hostname TRUSTED
!
no ip domain lookup
!
interface Serial1/0
 ip address 192.168.12.1 255.255.255.0
 serial restart-delay 0
 clock rate 64000
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.12.2
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end

FW:
hostname FW
!
no ip domain lookup
ip ips name myips
!
interface Serial1/0
 ip address 192.168.12.2 255.255.255.0
 no shutdown
!
interface Serial1/1
 ip address 192.168.23.2 255.255.255.0
 ip ips myips in
 clock rate 64000
 no shutdown
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end

UNTRUSTED:
hostname UNTRUSTED
!
no ip domain lookup
!
interface Serial1/1
 ip address 192.168.23.3 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.23.2
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end


Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html

CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual


最初發表 / 最後更新: 2008.09.27 / 2018.06.11

0 comments:

張貼留言