[OT] Mutliservice Router IPS

From: Scott, Tyson C (tyson.scott@hp.com)
Date: Wed May 11 2005 - 13:44:08 GMT-3

• Next message: marvin greenlee: "RE: Ways of Callback PPP/ISDN/Dialer [bayes]"
• Previous message: gladston@br.ibm.com: "Multicast - Cache"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sorry for the off topic but I have read everything I can on Cisco's
website and cannot get a configuration to work. Essentially for remote
VPN users are unable to get to web sites when I enable the inbound
Intrusion Prevention System on the router. I created a ACL associated
with the IPS configuration to tell it to ignore traffic coming in from
the VPN users but users are still unable to access the websites.

Here is an outline of the configuration, any help would be greatly
appreciated. One note is that when the VPN users come into the router I
am policy routing the traffic to the loopback interface to send it back
out through the outside interface. Otherwise it was not NATing the
traffic.

ip ips sdf location flash://sdmips.sdf

ip ips sdf location flash:attack-drop.sdf

ip ips notify SDEE

ip ips po max-events 100

ip ips name TEST list 101

ip ips name TEST list 101

interface FastEthernet0/1

 description $FW_OUTSIDE$

 bandwidth 3000

 ip address x.x.x.30 255.255.255.248

 ip access-group 101 in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip inspect DEFAULT100 out

 ip nat outside

 ip ips TEST in

 ip virtual-reassembly

 ip route-cache flow

 ip policy route-map VPN_CLIENT

 duplex auto

 speed auto

 no cdp enable

 no mop enabled

 crypto map REM_VPN_CLT

!

access-list 101 permit udp host x.x.x.132 eq domain host x.x.x.30

access-list 101 permit udp host x.x.x.131 eq domain host x.x.x.30

access-list 101 remark Auto generated by SDM for NTP (123) x.x.x.28

access-list 101 permit udp host x.x.x.28 eq ntp host x.x.x.30 eq ntp

access-list 101 remark Auto generated by SDM for NTP (123) x.x.x.29

access-list 101 permit udp host x.x.x.29 eq ntp host x.x.x.30 eq ntp

access-list 101 permit ahp any host x.x.x.30

access-list 101 permit esp any host x.x.x.30

access-list 101 permit udp any host x.x.x.30 eq isakmp

access-list 101 permit udp any host x.x.x.30 eq non500-isakmp

access-list 101 permit ip host 192.168.46.192 0.0.0.63 any

access-list 101 deny ip 192.168.45.0 0.0.0.255 any

access-list 101 permit icmp any host x.x.x.30 echo-reply

access-list 101 permit icmp any host x.x.x.30 time-exceeded

access-list 101 permit icmp any host x.x.x.30 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.x.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

!

route-map VPN_CLIENT permit 10

 match ip address CLIENT_RANGE

 set interface Loopback0

!

• Next message: marvin greenlee: "RE: Ways of Callback PPP/ISDN/Dialer [bayes]"
• Previous message: gladston@br.ibm.com: "Multicast - Cache"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:57 GMT-3