Scribd
Upload
18 views4 pages

Session6-Ref PTActA IPS

Uploaded by

binhb2105603
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
18 views4 pages

Session6-Ref PTActA IPS

Uploaded by

binhb2105603
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 4

PT Activity: Configure IOS Intrusion Prevention System (IPS) using CLI

Topology Diagram

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

R1 FA0/0 192.168.1.1 255.255.255.0 N/A


S0/0/0 10.1.1.1 255.255.255.0 N/A
R2 S0/0/0 (DCE) 10.1.1.2 255.255.255.0 N/A
S0/0/1 (DCE) 10.2.2.1 255.255.255.0 N/A
R3 FA0/0 192.168.3.1 255.255.255.0 N/A
S0/0/0 10.2.2.2 255.255.255.0 N/A
Syslog Server NIC 192.168.1.50 255.255.255.0 192.168.1.1
PC-A NIC 192.168.1.2 255.255.255.0 192.168.1.1
PC-C NIC 192.168.3.2 255.255.255.0 192.168.3.1

Learning Objectives
 Enable IOS IPS.
 Configure logging.
 Modify an IPS signature.
 Verify IPS.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 4
CCNA Security

Introduction
Your task is to configure router R1 for IPS in order to scan traffic entering the 192.168.1.0 network.
The server labeled ‘Syslog Server’ is used to log IPS messages. You must configure the router to identify the
syslog server in order to receive logging messages. Displaying the correct time and date in syslog messages is
vital when using syslog to monitor the network. Set the clock and configure timestamp service for logging on the
routers. Finally, enable IPS to produce an alert and drop ICMP echo reply packets inline.
The server and PCs have been preconfigured. The routers have also been preconfigured with the following:
 Enable password: ciscoenpa55
 Console password: ciscoconpa55
 VTY line password: ciscovtypa55
 EIGRP 101

Task 1: Enable IOS IPS


Note: Within Packet Tracer, the routers already have the signature files imported and in place. They are the
default xml files in flash. For this reason, it is not necessary to configure the public crypto key and
complete a manual import of the signature files.

Step 1. Verify network connectivity.


 Ping from PC-C to PC-A. The ping should be successful.
 Ping from PC-A to PC-C. The ping should be successful.

Step 2. Create an IOS IPS configuration directory in flash.


On R1, create a directory in flash using the mkdir command. Name the directory ipsdir.
R1#mkdir ipsdir
Create directory filename [ipsdir]? <Enter>
Created dir flash:ipsdir

Step 3. Configure the IPS signature storage location.


On R1, configure the IPS signature storage location to be the directory you just created.
R1(config)#ip ips config location flash:ipsdir

Step 4. Create an IPS rule.


On R1, create an IPS rule name using the ip ips name name command in global configuration mode. Name
the IPS rule iosips.
R1(config)# ip ips name iosips

Step 5. Enable logging.


IOS IPS supports the use of syslog to send event notification. Syslog notification is enabled by default. If
logging console is enabled, you see IPS syslog messages.
Enable syslog if it is not enabled.
R1(config)# ip ips notify log
Use the clock set command from privileged EXEC mode to reset the clock if necessary.
R1# clock set 01:20:00 6 january 2009
Verify that the timestamp service for logging is enabled on the router using the show run command. Enable the
timestamp service if it is not enabled.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 4
CCNA Security

R1(config)# service timestamps log datetime msec


Send log messages to the Syslog server at IP address 192.168.1.50.
R1(config)# logging host 192.168.1.50

Step 6. Configure IOS IPS to use the signature categories.


Retire the all signature category with the retired true command (all signatures within the signature release).
Unretire the IOS_IPS Basic category with the retired false command.
R1(config)# ip ips signature-category
R1(config-ips-category)# category all
R1(config-ips-category-action)# retired true
R1(config-ips-category-action)# exit
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# retired false
R1(config-ips-category-action)# exit
R1(config-ips-cateogry)# exit
Do you want to accept these changes? [confirm] <Enter>

Step 7. Apply the IPS rule to an interface.


Apply the IPS rule to an interface with the ip ips name direction command in interface configuration
mode. Apply the rule outbound on the Fa0/0 interface of R1. After you enable IPS, some log messages will be
sent to the console line indicating that the IPS engines are being initialized.
Note: The direction in means that IPS inspects only traffic going into the interface. Similarly, out means only
traffic going out the interface.
R1(config)# interface fa0/0
R1(config-if)# ip ips iosips out

Task 2: Modify the Signature


Step 8. Change the event-action of a signature.
Un-retire the echo request signature (signature 2004, subsig ID 0), enable it and change the signature action to
alert, and drop.
R1(config)# ip ips signature-definition
R1(config-sigdef)# signature 2004 0
R1(config-sigdef-sig)# status
R1(config-sigdef-sig-status)# retired false
R1(config-sigdef-sig-status)# enabled true
R1(config-sigdef-sig-status)# exit
R1(config-sigdef-sig)# engine
R1(config-sigdef-sig-engine)# event-action produce-alert
R1(config-sigdef-sig-engine)# event-action deny-packet-inline
R1(config-sigdef-sig-engine)# exit
R1(config-sigdef-sig)# exit
R1(config-sigdef)# exit
Do you want to accept these changes? [confirm] <Enter>

Step 9. Use show commands to verify IPS.


Use the show ip ips all command to see an IPS configuration status summary.
To which interfaces and in which direction is the iosips rule applied? Fa 0/0 outbound.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 4
CCNA Security

Step 10. Verify that IPS is working properly.


From PC-C, attempt to ping PC-A. Were the pings successful? Why or why not?
The pings should fail. This is because the IPS rule for event-action of an echo request was set to “deny-packet-
inline.
From PC-A, attempt to ping PC-C. Were the pings successful? Why or why not?
The ping should be successful. This is because the IPS rule does not cover echo reply. When PC-A pings PC-
C, PC-C responds with an echo reply.

Step 11. View the Syslog messages.


Click on the Syslog server. Select the Config tab. In the left navigation menu, select SYSLOG to view the log
file.

Step 12. Check results.


Your completion percentage should be 100%. Click Check Results to see feedback and verification of which
required components have been completed.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 4

You might also like