IPS 4240 - need help

I have some IPS 4240s. I've NEVER worked with these before, and the IOS is... well... completely different. I'm trying to simply put an IP on them so I can telnet or ssh into them. Below is my configuration. As you'll see... I really haven't done anything to the configuration out of the box. Thanks!!

! Current configuration last modified Wed Aug 06 07:24:40 2008
!

! Version 6.0(4)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S317.0 2008-02-13
! Virus Update V1.2 2005-11-24
!

service interface
physical-interfaces GigabitEthernet0/0
admin-state enabled
exit
physical-interfaces Management0/0
subinterface-type none
exit
exit
!

service authentication
exit
!

service event-action-rules rules0
exit
service host
network-settings
host-ip 10.10.25.11/22,10.10.25.2
host-name sensor
telnet-option enabled
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
exit
!

service logger
exit
!

service network-access
exit
!

service notification
exit
!

service signature-definition sig0
exit
service notification
exit
!

service signature-definition sig0
exit
!

service ssh-known-hosts
exit
!

service trusted-certificates
exit
!

service web-server
exit
!

service anomaly-detection ad0
exit
!

service external-product-interface
exit
!

service analysis-engine
exit

Find more posts tagged with

Comments

dtlokee

host-ip 10.10.25.11/22,10.10.25.2

That's the IP of the unit, you need to add an access-list entry under the host settings to allow management access

jworley

ah! Thank you so very much!

jworley

She's seen on the network now (permitted 10.10.24.0/22) Thanks a lot! I really do appreciate the help. Now if I can just fumble around this device... lol

Does this device operate on layer 2 or layer 3? It doesn't route packets, does it?

mikej412

No routing.

It either watches the traffic in promiscuous mode - and the initial packet(s) of an attack get through before it responds with instructions to the hardware under attack.

Or it can work "in Line" with in pairs of interfaces (or VLANs pairs with subinterfaces) and stop the first packet if an attack.

jworley

ah. I see! That's great. Right now, I have it configured with Gi0/0 and Gi0/1 inline. The default policies are applied to the inline path.

I suppose I won't mess with any of them. Should I add an internal zone to the Anomaly Detction though? I figured adding the internal subnet might be a necessary change if I"m understanding this right.

Thanks again! You guys are great. This will eventually go post firewall (setup is router -> ASA5520 -> IPS -> Layer 3 switch [all ports are trunks] -> access switches). Think there will be an problems with that? I think to test it out, I'm going to put it on the network on an access switch go to a small switch with some select IT people (including myself).

jworley

oh, one more thing. As far as licensing goes, does IPS really get updates often enough to justify this purchase? I'm not 100% sure the Provisioning people here bought this. I would have to pitch like Greg Maddox to get this to fly, probably.

Ahriakin

It averages about once a week, sometimes faster, and yes it is worth it. An IPS without signature updates is like an AV without definition updates, unless you want to spend an awful lot of time watching security sites for detailed exploit info. and writing your own sigs...;)

jworley

Ahriakin wrote:

It averages about once a week, sometimes faster, and yes it is worth it. An IPS without signature updates is like an AV without definition updates, unless you want to spend an awful lot of time watching security sites for detailed exploit info. and writing your own sigs...;)

ooh. Good point. Guess I should start pitching now.

jworley

definitely feeling a little dense asking this but....

I went ahead and got a trial license key so we can get updates for now before purchasing a full key. I'm in the IDM and cannot figure out how to get this thing to update. In the Update and AutoUpdate windows, it asks for a server address, username, and password. I must be missing something here.... what server address? What credentials? Also tried click the Update License button in the Licensing window. It will sit there for hours doing nothing... what's it supposed to do?

Thanks for helping me out with my newbish problems.

Ahriakin

You should be able to load the Updates from your own machine through the IDM but for Auto Updates you can specify a few options, the most common is FTP, your own server and the username/password you setup to allow access to it. So you download the update yourself the to the FTP server and set your IDS to pull the updates from there
I don't know off the top of my head if the 4240 supports the 6.1.1 image but if it does install it as it FINALLY allows you to auto-update directly from Cisco's website (for which you just use the CCO login to which you have registered the IPS contract).

jworley

alright, I installed 6.1.1, and I must say... the GUI is much nicer and more user newb friendly.

Thanks again for all the help, everyone. You helped take away some of the pain in this learning curve

Ahriakin

Glad to hear it's working okay.
You should get the Cisco IEM (IPS Express Manager) too, free from the Cisco site. Besides being a decent log viewer/reporter it integrates the IDM into it's GUI so you can very quickly monitor/change/tune from one console. One thing I really like is you can right-click an event in the viewer and tune the rule or set event action filters from the popup menu and it takes you right into the relevant section on that device's IDM. A small but nice timesaver.

jworley

Interesting. I searched of the software on Cisco's site. I found the page, I think... but it says

"NOTE:
There are currently no files for this type."

http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ime

Ahriakin

Odd. I just tried it again and it's working for me. Are you using a download manager/plugin? Try a normal save inside your browser instead.

dtlokee

You need to log into your CCO account or it will say that or you need a service contract that allows acces to it. The link you provided works for me too.

jworley

hmmm... I thought I did log in with my CCO account. I only have a trial key for now, though. Could it be that I don't have enough access?