Lab6-4.net file for Dynamips:
##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 6.4 Configuring IPS with CLI
# By Happy Peter http://blog.xuite.net/juilin77/happy
#
##################################################
autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.11.0/UTS/CCNP2/Lab6-4/workingconfig
[[3725]]
# Specify 3725 IOS image on Linux here:
image = /opt/dynamips/images/c3725-ad.bin
ram = 256
idlepc =0x60bf8d58
mmap = true
ghostios = true
confreg = 0x2102
###########################
#
# Define router instances 1
#
###########################
[[Router TRUSTED]]
model = 3725
console = 2001
slot1 = NM-4T
[[Router FW]]
model = 3725
console = 2002
slot1 = NM-4T
s1/0 = TRUSTED s1/0
s1/1 = UNTRUSTED s1/1
[[Router UNTRUSTED]]
model = 3725
console = 2003
slot1 = NM-4T
Scenario:
In this lab, you will configure the Cisco IOS Intrusion Prevention System (IPS), which is part of the Cisco IOS Firewall feature set.
In this scenario, TRUSTED represents a trusted inside router,
FW represents a router serving as an intrusion prevention router,
and UNTRUSTED represents an untrusted outside router.
Objectives
‧ Configure Cisco IOS IPS on an interface
‧ Disable unwanted IPS signatures
‧ Verify IPS settings
Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
logging synchronous
exec-timeout 0 0
!
host *
Step 1: Configure Addressing
TRUSTED(config)#interface serial 1/0
TRUSTED(config-if)#ip address 192.168.12.1 255.255.255.0
TRUSTED(config-if)#clock rate 64000
TRUSTED(config-if)#no shutdown
FW(config)#interface serial 1/0
FW(config-if)#ip address 192.168.12.2 255.255.255.0
FW(config-if)#no shutdown
FW(config)#interface serial 1/1
FW(config-if)#clock rate 64000
FW(config-if)#ip address 192.168.23.2 255.255.255.0
FW(config-if)#no shutdown
UNTRUSTED(config)#interface serial 1/1
UNTRUSTED(config-if)#ip address 192.168.23.3 255.255.255.0
UNTRUSTED(config-if)#no shutdown
Step 2: Configure Static Default Routes
On the TRUSTED and UNTRUSTED routers, configure static default routes directing traffic to unknown destinations to be forwarded to the FW router.
TRUSTED(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2
UNTRUSTED(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2
Step 3: Create and Apply an IPS rule
FW(config)#ip ips name myips
Note:
1. Although it will not be used in this lab, to create an IPS rule that only operates on certain traffic (specified with an access list), you would use the ip ips name name list list command in global configuration mode.
2. In a production environment, you might want to specify an SDF file using the ip ips sdf location location command in global configuration mode, where location is a relative location to the router, such as “flash:128MB.sdf” which indicates that an SDF file in the router’s flash memory named “128MB.sdf” will be used.
FW(config)#interface serial 1/1
FW(config-if)#ip ips myips in
FW(config-if)#
*Mar 1 00:10:46.431: %IPS-6-ENGINE_BUILDS_STARTED: 00:10:46 UTC Mar 1 2002
*Mar 1 00:10:46.435: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*Mar 1 00:10:46.447: %IPS-6-ENGINE_READY: atomic-ip - build time 12 ms - packets for this engine will be scanned
*Mar 1 00:10:46.447: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 16 ms
FW(config-if)#
Step 4: Modify Default IPS Behavior
From UNTRUSTED, ping TRUSTED with a high repeat count.
UNTRUSTED#ping 192.168.12.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 4/9/32 ms
UNTRUSTED#
FW#
*Feb 19 09:30:47.323: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req [192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:47.379: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req [192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:47.435: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req [192.168.23.3:0 -> 192.168.12.1:0]
......
Notice the log messages on FW. To disable a signature on a router, use the ip ips signature number disable command in global configuration mode. Signature number 2004 detected the previous potential Internet Control Message Protocol (ICMP) attack indicated in the previous output.
FW(config)# ip ips signature 2004 disable
%IPS Signature 2004:0 is disabled
You do not need a high repeat count because there will be no summary messages (since there will not be any matches to begin with).
Final Configurations
TRUSTED:
hostname TRUSTED
!
no ip domain lookup
!
interface Serial1/0
ip address 192.168.12.1 255.255.255.0
serial restart-delay 0
clock rate 64000
no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.12.2
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
FW:
hostname FW
!
no ip domain lookup
ip ips name myips
!
interface Serial1/0
ip address 192.168.12.2 255.255.255.0
no shutdown
!
interface Serial1/1
ip address 192.168.23.2 255.255.255.0
ip ips myips in
clock rate 64000
no shutdown
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
UNTRUSTED:
hostname UNTRUSTED
!
no ip domain lookup
!
interface Serial1/1
ip address 192.168.23.3 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.23.2
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html
CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual
最初發表 / 最後更新: 2008.09.27 / 2018.06.11
0 comments:
張貼留言