cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7389
Views
0
Helpful
6
Replies

How can I test my IPS?

Andy White
Level 3
Level 3

Hello,

I have 2 5520 ASA's in Active/standby mode, they both have the AIP-10 modules installed with 7.0(6).E4 installed.

How can I test it is all working can I fire any test scripts through the ASA to trigger an alert and se that it gets blocked?

Also how do I keep these to IPS modules in sync?  I have to mak changes on one then the other all the time.

Thanks                  

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

To test the IPS functionality, you can enable signature# 2000 (echo-reply) and 2004 (echo-request) and ping across the ASA. You should get those 2 triggered as a test.

With the IPS modules in ASA active/standby mode, unfortunately the configuration will not be sync automatically and there is a bit of manual work involved to get the config synchronized. The IPS modules are standalone unfortunately.

Also make sure the signatures 2000 and 2004 are un retired besides enabling them. In recent versions they have been retired.

qssp-8083(config-sig-sig)# stat

qssp-8083(config-sig-sig-sta)# sh set

   status

   -----------------------------------------------

      enabled: false

      retired: true

Madhu

We can't use teh echo one for testing as we have soem important monitoring servers that will have issues, is there any other way we can test if the IPS modules are blocking?

You can create custom signature and block for example telnet traffic going through the ASA. You just have to specify the TCP port within the custom signature. Or you can configure any other ports for testing purposes.

To create a custom rule for Telnet can I use the Cisco IPS ME?  I woudl like to block 192.168.9.11 from telnetting to 172.30.1.1?

Thanks

You can create a custom signature (engine string TCP), and specify telnet port, and configure regex. When it detected the regex settings that you specify, it will trigger the signature.

Review Cisco Networking for a $25 gift card