cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
736
Views
28
Helpful
78
Replies
Highlighted

ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn with Cisco expert Nadeem Khawaja about troubleshooting Cisco Intrusion Detection Systems and Intrusion Prevention Systems. Nadeem supports security related products, including Cisco Secure PIX Firewall, Cisco IOS Firewall, Cisco Secure Access Control Server UNIX & Windows NT and Cisco Secure Intrusion Systems at the Technical Assistance Center (TAC). He is a double CCIE (# 9069) in Routing & Switching and in Security.

 

Remember to use the rating system to let Nadeem know if you have received an adequate response.

 

Nadeem might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 17. Visit this forum often to view responses to your questions and the questions of other community members.

78 REPLIES 78
Beginner

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

Hi, I'm looking to configure my 2651xm as a stateful inspection firewall, VPN3000 server and IDS system. I realize that it may be too much to ask from one little router - therefore I'd like your input on this. Attached is my current config. I'm getting slow performance out of the router and I don't know why. I'm having trouble getting port-forwarding to work as well. Perhaps you can help me figure it out.

Also, is the IOS firewall a separate product from the downloadable IOS images? ...I've seen some places on the web selling it as a software bundle and I'm wondering what's really in it.

Thanks in advance.

Cisco Employee

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

Hi,

If you configure IDS/VPN/FW on the router at the same, you are defintely increasing the workload, so slow performance is expected. Now the question is how much slow? what is the cpu load now? where exactly you feel the slowness? please brief on what is the issue you have with port forwarding.

IOS FW is not a separate product, but a special IOS image with FW features set.

Thanks

Nadeem

Beginner

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

Nadeem,

The current load averages are all under 5%. I have been using an old PII machine running Windows 2000 and Microsoft ISA Server 2004 as a firewall until this point. Now this router fell into my lap and I was hoping to make a more robust and secure firewall of it. I'm not to hung up on the ICS idea but I would like a stateful inspection FW and VPN. The VPN will be rarely used so I'm not to worried aboout the workload.

Now the performance issues: When I unplug the ISA machine and plug the router in (using the same cables), then try to ping external websites from client machines, about 1/3 of the pings time out. When I download files from my own website through the router, it takes twice as long as it does when downloading via the ISA box. I've tried all possible port speed and duplex settings - it didn't make any difference. Everything gets back to normal once I unplug the router and plug the ISA system back in. Perhaps my configuration is screwy (did you get a chance to review the attachment?) or the router could be defective[?]

Cisco Employee

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

You config seems fine, but you can try these suggestions, if it doesnt work, open up a case with TAC for detailed analysis

you can try to disable ip inspect statements, try to use only these

ip inspect tcp

ip inspect udp

ip inspect ftp

you can look into interface errors by typing "show itnerface"

you have two default gateways in your config, why?

You have set the logging trap level to "debug" , this will generate too many log messages. you can try to lower the trap level , say for example to "error" the command will be "logging trap error"

or you can disable the logging for the testing purposes.

thanks

Nadeem

Beginner

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

Thanks again, Nadeem.

I've tried it with and without logging. There was no difference in performance. I even ran a line speed test at http://nyc.speakeasy.net. With ISA, my line speed was around 768kbps down/640kbps up. When I tested with the cisco, it was 400kbps down and 640kbps up - really strange since the upload rate was the same in both cases and only the download was affected. I'must have put the second default route in by accident - I'll remove it and give it a shot though it probaby won't make a difference. I'll try the "ip inspect" suggestions.

The last thing that I need your help with is configuring the VPN. I want to be able to use the Cisco VPN client to access the 192.168.199.0/24 network from the Internet.

Thank you!

Cisco Employee

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

Hi,

My appology, but this session is for IDS/IPS, not for VPN configuration. You can post the VPN question on VPN forum

thanks

Nadeem

Beginner

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

I did post a question but I'm not getting any replies. Is there a better way?

Cisco Employee

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

You will get a reply, i have seen in this forum that most (almost all) questions gets replied. If you would like to expedite the issue, could you open up a TAC case.

btw what is the issue, jsut post here as well, may be I am able to answer if time permits.

thanks

Nadeem

Beginner

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

I would like to configure it so the 192.168.199/24 network can be accessed remotely using Cisco VPN client - basically make it a VPN server.

Thanks!

Beginner

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

I have an IDS 4235 that runs CIDS 3.0(5). I do not have the password to the IDS and the IDS is presently not connected to the network.

I'm trying to reimage the IDS appliance with the original recovery CD; everything works fine in the reimaging process but I get stuck here:

SunOS Secondary Boot Version 3.0

Booting Cisco Intrusion Detection System...

At this point it stays here and cannot continue.

I need any help I can. I have tried using a windows box to complete the process, also a Linux box with no success.

Cisco Employee

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

What do you mean by using winodws box to complete teh process?

How are you accessing the 4235.

Have you tried to use keyborad/monitor directly to the 4235.

This Could be that you are not seeing the screen output.

thanks

Nadeem

Beginner

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

Hi Nadeem:

By 'using a windows box' I mean that I try to boot the IDS by inserting the upgrade/recovery CD in a machine running windows and initiating the reimaging process by booting the windows machine runnning the IDS recovery CD.

I access the 4235 by attaching a monitor and keyboard directly to the IDS.

Thank you.

Cisco Employee

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

when you start installation , press "k" , see if it starts sending output to the monitor directly connected.

so you are trying to install IDS 3.x?

you can try to connect a console to the IDS 4235 then start installation

Beginner

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO IDS/IPS

Greetings Nadeem,

Really appreciate yourself taking this time and efford to answer all of our questions. Below are a few of my questions:

1) Cisco IPS is somewhat new and has evolved from its cousin the IDS. IPS is not something of a new product but rather has been around for a while. I would say Cisco are a bit slow in this area and are also not that strong in the market(my apologizes). Basically what i would like to know is what are the key advantages that Cisco IPS has, compared to the other product?

2) Out there people has been creating their own Cisco IDS which what they call "Franken IDS". These are created using a PC loaded with Linux and configured to run Cisco IDS software. What is Cisco doing in terms to protect such thing.

I'm sorry if my questions are a bit off and general but the main reason is i would like to know how much is Cisco putting into this IPS market.

Thanks... in advance.