cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1061
Views
0
Helpful
3
Replies

AIM IPS deployment; my module can't see the rtr

walter baziuk
Level 5
Level 5

Hello

I am trying to deploy an AIM-IPS inside a 2811 rtr. The module is seen by the rtr and I can log into the AIM-IPS module.

I have followed Cisco recommendation by NOT giving the inside interface an addfress and have used ip unnumbered.

  • I can log into the AIM-IPS, see the config and make changes.
  • I can't get new signatures in , since I don't have a license file
  • I can't get the license file installed as the AIM-ip can "see out"
  • I can't even ping the RTR from  the AIM-IPS
  • I can't ping the AIM-IPS from the RTR

The AIM-IPS is bound to the same subnet and interface that the internal address

Anyone have any suggestions?

Any tips for a successful deployment?

Below are the config details from the rtr and AIM-IPS

cheers

walter

--------------------

IOS 124-24.T1

** Partial rtr config

#sh inv

NAME: "Cisco Intrusion Prevention System AIM in AIM slot: 0", DESCR: "Cisco Intr

usion Prevention System AIM"

PID: AIM-IPS-K9        , VID: V03 , SN: xxx

interface IDS-Sensor0/0

ip unnumbered GigabitEthernet0/3/0.1

ip nbar protocol-discovery

service-module fail-open

hold-queue 60 out

interface GigabitEthernet0/3/0.1

description Data Vlan $FW_INSIDE$

encapsulation dot1Q 1 native

ip address 192.168.200.1 255.255.255.128

ip access-group 100 in

ip access-group sdm_fastethernet0/0.1_out out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip route 182.168.200.99 255.255.255.255 IDS-Sensor0/0

** AIM IPS config

sh config

! ------------------------------

! Current configuration last modified Tue Aug 30 19:58:58 2011

! ------------------------------

! Version 7.0(2)

! Host:                                        

!     Realm Keys          key1.0               

! Signature Definition:                        

!     Signature Update    S425.0   2009-08-17  

!     Virus Update        V1.4     2007-03-02  

! ------------------------------

service interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 192.168.200.99/25,192.168.200.1

host-name aim-ips

telnet-option disabled

dns-primary-server disabled

dns-secondary-server disabled

dns-tertiary-server disabled

exit

time-zone-settings

offset 0

standard-time-zone-name UTC

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service analysis-engine

exit

aim-ips#  

aim-ips# ping 192.168.200.1

PING 192.168.200.1 (192.168.200.1): 56 data bytes

--- 192.168.200.1 ping statistics ---

4 packets transmitted, 0 packets received, 100% packet loss

3 Replies 3

marcabal
Cisco Employee
Cisco Employee

You have access-lists applied to your GigabitEthernet0/3/0.1.

Do you have traffic to/from the sensor's 192.168.200.99 address permited in these access lists?

hello:

i had nothing in the access lists that would deny traffic to/from the same subnet

I have since added a specific rule for the AIM-IPS evice , still no differance (;

I added thi sto the interface to ensure inter Vlan traffic on the one ar,m router would work

no ip split-horizon

this did not have any affect w.r.t. to AIM-IPS

I need to be able to upload the license file so that i can first update the signature

any other suggestions

update:

I was NEVER able to get this to work on a "one arm router"  regardless of which vlans I used.

I sent a note to my Cisco SE as to why inter-vlan routing does not work on 2800 & 3800 series ISR router with traffic  between vlans that share the same physical link. Anyone ever get this to work?

I had a spare unused L3 physical i/f on the isr router, so i tried this long shot.

  • I created a new subnet  /30,
  • plugged a cable into the I/F( just to get it to go up/up),
  • changed the AIM-IPS ip address to the new I/F
  • added a static route to the the new address for the AIM-IPS and pointed to the new i/f

VOILA, the aim is is now working

service modules summary

  • do not support inter-vlan routing between vlans that share the same physical link.
  • work when placed on a seperate physical i/f

anyone else gets this to work without using a seperate i/f?

if so, how and which platform?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: