<<

. 4
( 9)



>>


Step 3: Add ICMP to the autosec_inspect list.

From global config mode, configure R1 to inspect ICMP and allow ICMP echo replies from
outside hosts.
R1(config)#ip inspect name autosec_inspect icmp timeout 5




89
Step 4: From PC-A, ping the R2 external WAN interface.

From PC-A, ping the R2 interface S0/0/0 at IP address 10.1.1.2.
C:\>ping 10.1.1.2
Were the pings successful? Why or why not? ___________________________________________

Remove ICMP from the inspect list. This restores the CBAC configuration to the one generated by
AutoSecure.
R1(config)#no ip inspect name autosec_inspect icmp timeout 5

Step 5: Test Telnet access from R2 to R1.

From external router R2, telnet to R1 at IP address 10.1.1.1.
R2>telnet 10.1.1.1
Trying 10.1.1.1 ...
% Connection timed out; remote host not responding
Was the telnetting successful? Why or why not? _________________________________________


Step 6: Configure R1 to allow Telnet access from external hosts.

Display the Extended ACL named autosec_firewall_acl that is applied to S0/0/0 inbound.
R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
15 permit eigrp any any (15)
20 deny ip any any (57 matches)
Notice the 57 matches on ACL line 20. What is this a result of? ______________________________

Configure R1 to allow Telnet access by adding a statement to the Extended ACL autosec_firewall_acl
that permits TCP port 23 (Telnet).
R1(config)#ip access-list extended autosec_firewall_acl
R1(config-ext-nacl)#18 permit tcp any any eq 23
R1(config-ext-nacl)#end
From external router R2, telnet again to R1 at IP address 10.1.1.1.
R2>telnet 10.1.1.1
Trying 10.1.1.1 ... Open

Unauthorized Access Prohibited

User Access Verification

Username: admin
Password: cisco12345

R1>
From the Telnet session on R1, display the modified Extended ACL autosec_firewall_acl.
R1>show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
15 permit eigrp any any (25)

90
18 permit tcp any any eq telnet (12 matches)
20 deny ip any any (57 matches)
Notice the new line 18 in the ACL and the 12 matches. What is this a result of?
_______________________________________________________________________________

Remove Telnet external access from the R1 firewall ACL.
R1(config)#ip access-list extended autosec_firewall_acl
R1(config-ext-nacl)#no 18 permit tcp any any eq telnet
R1(config-ext-nacl)#end
Note: SSH is recommended instead of Telnet, because it provides a more secure way to allow remote
administration access to a router or other networking device. SSH provides encrypted communication,
however, some additional configuration is required to support the SSH connection. Refer to Chapter 2 Lab A
for the procedure to enable SSH. For added security, configure SSH as the only input transport on the vty
lines and remove Telnet as an input transport. Allowing SSH access to R1 from external hosts also requires
adding a statement to the Extended ACL autosec_firewall_acl that permits TCP port 22 (SSH).


Step 7: Test Telnet access from internal PC-A to external router R2.

From PC-A, telnet to R2 at IP address 10.1.1.2.
C:\>telnet 10.1.1.2
a. Was the telnet attempt successful? Why or why not? ______________________________________

b. Log in to R2 by providing the vty password of ciscovtypass.

c. Leave the Telnet session open.


Task 5. Verify CBAC Configuration and Operation

Step 1: Display CBAC inspection information.

Use the show ip inspect all command to see the configuration and inspection status.

Note: The end of the command output shows the established sessions and the inspected TCP
Telnet connection between PC-A and R2.
R1#show ip inspect all
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited]
connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
Tcp synwait-time is 30 sec “ tcp finwait-time is 5 sec
tcp idle-time is 14400 sec “ udp idle-time is 1800 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 7 sec
Inspection Rule Configuration
Inspection name autosec_inspect
cuseeme alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
http alert is on audit-trail is on timeout 3600
rcmd alert is on audit-trail is on timeout 3600


91
rcmd alert is on audit-trail is on timeout 3600
smtp max-data 20000000 alert is on audit-trail is on timeout 3600
tftp alert is on audit-trail is on timeout 30
udp alert is on audit-trail is on timeout 15
tcp alert is on audit-trail is on timeout 3600

Interface Configuration
Interface Serial0/0/0
Inbound inspection rule is not set
Outgoing inspection rule is autosec_inspect
cuseeme alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
http alert is on audit-trail is on timeout 3600
rcmd alert is on audit-trail is on timeout 3600
realaudio alert is on audit-trail is on timeout 3600
smtp max-data 20000000 alert is on audit-trail is on timeout 3600
tftp alert is on audit-trail is on timeout 30
udp alert is on audit-trail is on timeout 15
tcp alert is on audit-trail is on timeout 3600
Inbound access list is autosec_firewall_acl
Outgoing access list is not set

Established Sessions
Session 6556C128 (192.168.1.3:1185)=>(10.1.1.2:23) tcp SIS_OPEN
a. In the Established Sessions section, what is the source IP address and port number for Session
655C128? ___________________________________________________________________

b. What is the destination IP address and port number for Session 655C128?
____________________________________________________________________________


Step 2: View detailed session information.

a. View detailed session information using the show ip inspect sessions detail command on
R1.
R1#show ip inspect sessions detail
Established Sessions
Session 6556C128 (192.168.1.3:1185)=>(10.1.1.2:23) tcp SIS_OPEN
Created 00:00:09, Last heard 00:00:02
Bytes sent (initiator:responder) [45:154]
In SID 10.1.1.2[23:23]=>192.168.1.3[1185:1185] on ACL autosec_firewall_acl
(19 matches)
b. Close the Telnet connection when you are finished verifying CBAC operation.


Part 3. Configuring a Zone-Based Firewall (ZBF) Using SDM
In Part 3 of this lab, you configure a zone-based firewall (ZBF) on R3 using SDM.

Task 1. Verify Access to the R3 LAN from R2
In this task, you verify that with no firewall in place, external router R2 can access the R3 S0/0/1 interface and
PC-C on the R3 internal LAN.




92
Step 1: Ping from R2 to R3.

a. From R2, ping the R3 interface S0/0/1 at IP address 10.2.2.1.
R2#ping 10.2.2.1
b. Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.


Step 2: Ping from R2 to PC-C on the R3 LAN.

a. From R2, ping PC-C on the R3 LAN at IP address 192.168.3.3.
R2#ping 192.168.3.3
b. Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.


Step 3: Display the R3 running config prior to starting SDM.

a. Issue the show run command to review the current basic configuration on R3.

b. Verify the R3 basic configuration as performed in Part 1 of the lab. Are there any security commands
related to access control? ___________________________________________________________


Task 2. Create a Zone-Based Policy Firewall
In this task, you use Cisco SDM to create a zone-based policy firewall on R3.

Step 1: Configure the enable secret password and HTTP router access prior to starting SDM.

a. From the CLI, configure the enable secret password for use with SDM on R3.
R3(config)#enable secret cisco12345
b. Enable the HTTP server on R3.
R3(config)#ip http server

Step 2: Access SDM and set command delivery preferences.

a. Run the SDM application or open a browser on PC-C and start SDM by entering the R3 IP address
192.168.3.1 in the address field.

b. Log in with no username and the enable secret password cisco12345.

c. In the Password Needed “ Networking dialog box, enter cisco12345 in the Password field and click Yes.

d. Select Edit > Preferences to configure SDM to allow you to preview the commands before sending them
to the router. In the User Preferences window, check the Preview commands before delivering to router
check box and click OK.




93
Step 3: Use the SDM Firewall wizard to configure a zone-based firewall.

a. On the SDM Home page, refer to the Configuration Overview portion of the screen. What is the state of
the Firewall Policies? ____________________________________________________________

b. Click the Configure button at the top of the SDM screen, and then click Firewall and ACL. Read
through the overview descriptions for the Basic and Advanced Firewall options. What are some of the key
differences? __________________________________________________________________

________________________________________________________________________________




c. Select Basic Firewall and click the Launch the selected task button.

d. In the Basic Firewall Configuration Wizard window, familiarize yourself with what the Basic Firewall
does. What does the Basic Firewall do with traffic from outside zones to inside zones? ____________

e. Click Next to continue.

f. Check the Inside (trusted) check box for FastEthernet0/1 and the Outside (untrusted) check box for
Serial0/0/1. Click Next.




94
g. Click OK when the warning is displayed telling you that you cannot launch SDM from the S0/0/1
interface after the Firewall wizard completes.

h. Move the slider between High, Medium, and Low security to familiarize yourself with what each
provides. What is the main difference between High security and Medium or Low security?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________

i. Move the slider to Low Security and click the Preview Commands button to preview the commands
that are delivered to the router. When you are finished reviewing the commands, click Close and then
click Next.

j. Review the Firewall Configuration Summary. What does this display provide?
________________________________________________________________________________

k. Click Finish to complete the Firewall wizard.

l. When the Routing traffic configuration window displays, ensure that the check box Allow EIGRP
updates to come through the firewall is checked and click OK.

Note: This screen only displays if a dynamic routing protocol is configured.




95
m. What would happen if this box was not checked? ________________________________________
_______________________________________________________________________________

n. In addition to EIGRP, for what other routing protocols does the firewall allow updates?
_______________________________________________________________________________

o. In the Deliver Configuration to Router window, make sure that the Save running config to router™s
startup config check box is checked and click Deliver.

p. Click OK in the Commands Delivery Status window. How many commands were generated by the
Firewall wizard? __________________________________________________________________

q. Click OK to display the message that you have successfully configured a firewall on the router. Click
OK to close the message window.

r. The Edit Firewall Policy window displays with the Rule Diagram.




96
s. In the Rule Diagram, locate access list 100 (folder icon). What action is taken and what rule options are
applied for traffic with an invalid source address in the 127.0.0.0/8 address range?
_______________________________________________________________________________


Task 3. Review the Zone-Based Firewall Configuration

Step 1: Examine the R3 running configuration with the CLI.

a. From the R3 CLI, display the running configuration to view the changes that the SDM Basic Firewall
wizard made to the router.

b. The following commands are related to ACL 100 and class-map sdm-invalid-source.
Class-map type inspect match-all sdm-invalid-src
match access-group 100

policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
<output omitted>

97
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.2.2.0 0.0.0.3 any
c. In ACL 100, notice that the source addresses listed are permitted. The ACL uses permit statements to
identify these addresses as a group so that they can be matched with the class-map type inspect
match-all sdm-invalid-src command and then dropped and logged by the class type
inspect sdm-invalid-src command, which is one of the class types specified for the sdm-inspect
policy-map.

d. Issue the command show run | beg EIGRP to display the running configuration beginning with the
line that contains the first occurrence of the text “EIGRP”. Continue to press Enter until you see all the
commands in the firewall configuration that are related to EIGRP routing protocol updates on R3. You
should see the following commands:
class-map type inspect match-any SDM_EIGRP
match access-group name SDM_EIGRP
class-map type inspect match-any SDM_EIGRP_TRAFFIC
match class-map SDM_EIGRP
class-map type inspect match-all SDM_EIGRP_PT

policy-map type inspect sdm-permit
class type inspect SDM_EIGRP_PT
pass
class class-default
drop

Step 2: Examine the R3 firewall configuration using SDM.

a. Return to the SDM Home page. Refer to the Configuration Overview portion of the screen. What is the
state of Firewall Policies? _______________________________________________________

b. Click the double down arrow on the right of the Firewall Policies section. What is displayed?
_______________________________________________________________________________

c. Click the Configure button and select Additional Tasks > ACL Editor > Firewall Rules. There should
be an ACL that lists fake source addresses, such as the broadcast address of 255.255.255.255 and the
127.0.0.0/8 network. These were identified in the running configuration output in Task 3, Step 1b.

d. Click the Configure button and select Additional Tasks > Zones to verify the zones configuration.
What interfaces are listed and in what zone is each?
_______________________________________________________________________________

e. Click Configure and select Additional Tasks > Zones Pairs to verify the zone pairs configuration. Fill
in the following information.

Zone Pair Source Destination Policy




f. Click Configure and select Additional Tasks > C3PL.

98
g. What is C3PL short for? _____________________________________________________________

h. Expand the C3PL menu and select Class Map > Inspection. How many class maps were created by
the SDM Firewall wizard? _____

i. Select C3PL > Policy Map > Protocol Inspection. How many policy maps were created by the SDM
Firewall wizard? _____

j. Examine the details for the policy map sdm-permit that is applied to the sdm-zp-out-self zone pair. Fill in
the information below. List the action for the traffic matching each of the class maps referenced within the
sdm-permit policy map.

Match Class Name: ______________________ Action: ___________
Match Class Name: ______________________ Action: ___________


Task 4. Verify EIGRP Routing Functionality on R3

Step 1: Display the R3 routing table using the CLI.

a. In Task 2, Step 3, the Firewall wizard configured the router to allow EIGRP updates. Verify that EIGRP
messages are still being exchanged using the show ip route command and verify that there are still
EIGRP learned routes in the routing table.
R3#show ip route
Codes: C “ connected, S “ static, R “ RIP, M “ mobile, B “ BGP
D “ EIGRP, EX “ EIGRP external, O “ OSPF, IA “ OSPF inter area
<Output omitted>

Gateway of last resort is not set

10.0.0.0/30 is subnetted, 2 subnets
C 10.2.2.0 is directly connected, Serial0/0/1
D 10.1.1.0 [90/21024000] via 10.2.2.2, 00:34:12, Serial0/0/1
D 192.168.1.0/24 [90/21026560] via 10.2.2.2, 00:32:16, Serial0/0/1
C 192.168.3.0/24 is directly connected, FastEthernet0/1
b. Which networks has R3 learned via the EIGRP routing protocol? ____________________________


Task 5. Verify Zone-Based Firewall Functionality

Step 1: From PC-C, ping the R3 internal LAN interface.

a. From PC-C, ping the R3 interface Fa0/1 at IP address 192.168.3.1.
C:\>ping 192.168.3.1
b. Were the pings successful? Why or why not?
_______________________________________________________________________________


Step 2: From PC-C, ping the R2 external WAN interface.

a. From PC-C, ping the R2 interface S0/0/1 at IP address 10.2.2.2.
C:\>ping 10.2.2.2



99
b. Were the pings successful? Why or why not?
________________________________________________________________________________


Step 3: From R2 ping PC-C.

a. From external router R2, ping PC-C at IP address 192.168.3.3.
R2#ping 192.168.3.3
b. Were the pings successful? Why or why not?
________________________________________________________________________________


Step 4: Telnet from R2 to R3.

a. From router R2, telnet to R3 at IP address 10.2.2.1.
R2#telnet 10.2.2.1
Trying 10.2.2.1 ... Open

Trying 10.2.2.1 ...
% Connection timed out; remote host not responding
b. Why was telnetting unsuccessful? _____________________________________________________


Step 5: Telnet from internal PC-C to external router R2.

From PC-C on the R3 internal LAN, telnet to R2 at IP address 10.2.2.2 and log in.
C:\>telnet 10.2.2.2

User Access verification
Password: ciscovtypass
With the Telnet session open from PC-C to R2, enter privileged EXEC mode with the enable command
and password cisco12345.

Issue the command show policy-map type inspect zone-pair session on R3. Continue
pressing enter until you see an Inspect Established session section toward the end. Your output
should look similar to the following.
Inspect

Number of Established Sessions = 1
Established Sessions
Session 657344C0 (192.168.3.3:1274)=>(10.2.2.2:23) tacacs:tcp
SIS_OPEN
Created 00:01:20, Last heard 00:01:13
Bytes sent (initiator:responder) [45:65]
In the Established Sessions in the output, what is the source IP address and port number for Session
657344C0? ______________________________________________________________________

What is the destination IP address and port number for Session 657344C0?
________________________________________________________________________________




100
Step 6: Verify the ZBF function using SDM Monitor.

From SDM, click the Monitor button at the top of the screen and select Firewall Status.

Select the sdm-zp-out-self policy from the list of policies. This policy applies to traffic from the outside
zone to the router (self) zone.

Verify that Active Sessions is selected and that the view interval is set to Real-time data every 10 sec.
Click the Monitor Policy button to start monitoring traffic from outside the zone to inside the zone.




From the R2 CLI, ping the R3 S0/0/1 interface at IP address 10.2.2.1. The pings should fail.

From the R2 CLI, telnet to the R3 S0/0/1 interface at IP address 10.2.2.1. The telnet attempt should fail.

Click the Dropped Packets option and observe the graph showing the number of dropped packets
resulting from the failed ping and telnet attempts. Your screen should look similar to the one below.




101
Click the Allowed Packets option and observe the graph showing the number of EIGRP packets
received from router R3. This number will continue to grow at a steady pace as EIGRP updates are
received from R2.




102
Click the Stop Monitoring button and close SDM.


Task 6. Reflection
What are some factors to consider when configuring firewalls using traditional manual CLI methods compared
to using the automated AutoSecure CBAC and the SDM Firewall wizard GUI methods?

_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________




103
Router Interface Summary Table
Router Interface Summary
Router Model Ethernet Interface Ethernet Interface Serial Interface Serial Interface
#1 #2 #1 #2
1700 Fast Ethernet 0 Fast Ethernet 1 Serial 0 (S0) Serial 1 (S1)
(FA0) (FA1)
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
2600 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0 (S0/0) Serial 0/1 (S0/1)
(FA0/0) (FA0/1)
2800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router
and how many interfaces the router has. There is no way to effectively list all the combinations of
configurations for each router class. This table includes identifiers for the possible combinations of
Ethernet and Serial interfaces in the device. The table does not include any other type of interface,
even though a specific router may contain one. An example of this might be an ISDN BRI interface.
The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to
represent the interface.




104
Chapter 5: Lab A: Configuring an Intrusion Prevention System (IPS)
Using the CLI and SDM

Topology




IP Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port
R1 FA0/1 192.168.1.1 255.255.255.0 N/A S1 FA0/5
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
R3 FA0/1 192.168.3.1 255.255.255.0 N/A S3 FA0/5
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 FA0/6
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 FA0/18




105
Objectives
Part 1: Basic Router Configuration

Configure hostname, interface IP addresses, and access passwords.

Configure the static routing.


Part 2: Configuring an IOS Intrusion Prevention System (IPS) using CLI

Configure IOS IPS using CLI.

Modify IPS Signatures.

Examine the resulting IPS configuration.

Verify IPS functionality.

Log IPS messages to a Syslog server.


Part 3: Configuring an Intrusion Prevention System (IPS) using SDM

Configure IPS using SDM.

Modify IPS Signatures.

Examine the resulting IPS configuration.

Use a scanning tool to simulate an attack.

Use the SDM Monitor to verify IPS functionality.


Background

In this lab, you configure the Cisco IOS Intrusion Prevention System (IPS), which is part of the Cisco IOS
Firewall feature set. IPS examines certain attack patterns and alerts or mitigates when those patterns occur.
IPS alone is not enough to make a router into a secure Internet firewall, but in addition to other security
features, it can be a powerful defense.

You will configure the IPS using the Cisco IOS CLI on one router and SDM on another router, and then test
IPS functionality on both routers. You will load the IPS Signature package from a TFTP server and configure
the public crypto key using the Cisco IOS CLI and SDM.

Note: The router commands and output in this lab are from a Cisco 1841 using Cisco IOS Release 12.4(20)T
(Advanced IP image). Other routers and Cisco IOS versions can be used. See the Router Interface Summary
table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab.
Depending on the model of the router and Cisco IOS version, the available commands and the output
produced might vary from what is shown in this lab.

Note: Make sure that the routers and the switches have been erased and have no startup configurations.


Required Resources
2 routers (R1 and R3) with SDM 2.5 installed (Cisco 1841 with Cisco IOS Release 12.4(20)T1 and

192MB DRAM or comparable routers)

Note: The above requirement is critical to successful completion of this lab. The routers that run IPS (R1
and R3) require a minimum of 192MB DRAM and at least 2MB free flash memory. They must also be
running T-Train Cisco IOS Release 12.4(11)T1 or later (preferably 12.4(20)T or later) to support the
version 5.x format signature package.


106
1 router (R2) Cisco 1841 with Cisco IOS Release 12.4(20)T1 or comparable


2 switches (Cisco 2960 or comparable)


PC-A (Windows XP or Vista with syslog and TFTP servers and the SuperScan tool installed)


PC-C (Windows XP or Vista with Java 6 Standard Edition, syslog and TFTP servers, and the

SuperScan tool installed)

Note: To support SDM IPS on PC-C, you must be able to set the Java heap size to 256MB, which
requires Java 6.

Serial and Ethernet cables as shown in the topology


Rollover cables to configure the routers via the console


IPS Signature package and public crypto key files on PC-A and PC-C (provided by instructor)



Part 1. Basic Router Configuration
In Part 1 of this lab, you set up the network topology and configure basic settings such as host names,
interface IP addresses, static routing, device access, and passwords.

Note: Perform all tasks on routers R1, R2, and R3. The procedure for R1 is shown here as an example.


Step 1: Cable the network as shown in the topology.

Attach the devices shown in the topology diagram and cable as necessary.


Step 2: Configure the basic settings for each router.

Configure the host names as shown in the topology.

Configure the interface IP addresses as shown in the IP addressing table.

a. Configure a clock rate for serial router interfaces with a DCE serial cable attached.
R1(config)#interface S0/0/0
R1(config-if)#clock rate 64000
b. To prevent the router from attempting to translate incorrectly entered commands, disable DNS
lookup.
R1(config)#no ip domain-lookup

Step 3: Configure static routing on the routers.

Configure a static default route from R1 to R2 and from R3 to R2.

a. Configure a static route from R2 to the R1 LAN and from R2 to the R3 LAN.


Step 4: Configure PC host IP settings.

Configure a static IP address, subnet mask, and default gateway for PC-A and PC-C, as shown in the IP
addressing table.

107
Step 5: Verify basic network connectivity.

a. Ping from R1 to R3.

Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.

b. Ping from PC-A on the R1 LAN to PC-C on the R3 LAN.

Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.

Note: If you can ping from PC-A to PC-C, you have demonstrated that the static routing protocol is configured
and functioning correctly. If you cannot ping but the device interfaces are up and IP addresses are correct,
use the show run and show ip route commands to identify routing protocol-related problems.


Step 6: Configure and encrypt passwords.

Note: Passwords in this task are set to a minimum of 10 characters but are relatively simple for the
benefit of performing the lab. More complex passwords are recommended in a production network.

a. Configure a minimum password length using the security passwords command to set a minimum
password length of 10 characters.
R1(config)#security passwords min-length 10
b. Configure a console password and enable login for router R1. For additional security, the exec-
timeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous
command prevents console messages from interrupting command entry.

Note: To avoid repetitive logins during this lab, the exec-timeout command can be set to 0 0,
which prevents it from expiring. However, this is not considered to be a good security practice.
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
c. Configure a password for the aux port for router R1.
R1(config)#line aux 0
R1(config-line)#password ciscoauxpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
d. Configure the password on the vty lines for router R1.
R1(config)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
e. Encrypt the console, aux, and vty clear text passwords.

R1(config)#service password-encryption



108
Issue the show run command. Can you read the console, aux, and vty passwords? Why or why not?
________________________________________________________________________


Step 7: Save the basic configurations for all three routers.

Save the running configuration to the startup configuration from the privileged EXEC prompt.
R1#copy running-config startup-config

Part 2. Configuring IPS Using the Cisco IOS CLI
In Part 2 of this lab, you configure IPS on R1 using the Cisco IOS CLI. You then review and test the resulting
configuration.


Task 1. Verify Access to the R1 LAN from R2
In this task, you verify that without IPS configured, the external router R2 can ping the R1 S0/0/0 interface and
PC-A on the R1 internal LAN.


Step 1: Ping from R2 to R1.

From R2, ping R1 interface S0/0/0 at IP address 10.1.1.1.
R2#ping 10.1.1.1
Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.


Step 2: Ping from R2 to PC-A on the R1 LAN.

From R2, ping PC-A on the R1 LAN at IP address 192.168.1.3.
R2#ping 192.168.1.3
Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.


Step 3: Display the R1 running config prior to configuring IPS.

a. Issue the show run command to review the current basic configuration on R1.

b. Are there any security commands related to IPS?
______________________________________________________________________________


Task 2. Prepare the Router and TFTP Server

Step 1: Verify the availability of Cisco IOS IPS files.

To configure Cisco IOS IPS 5.x, the IOS IPS Signature package file and public crypto key file must be
available on PC-A. Check with your instructor if these files are not on the PC. These files can be downloaded
from Cisco.com with a valid user account that has proper authorization.


109
a. Verify that the IOS-Sxxx-CLI.pkg file is in a TFTP folder. This is the signature package. The xxx is the
version number and varies depending on which file was downloaded.

b. Verify that the realm-cisco.pub.key.txt file is available and note its location on PC-A. This is the public
crypto key used by IOS IPS.


Step 2: Verify or create the IPS directory in router flash on R1.

In this step, you verify the existence of or create a directory in the router flash memory where the required
signature files and configurations will be stored.

Note: Alternatively, you can use a USB flash drive connected to the router™s USB port to store the
signature files and configurations. The USB flash drive needs to remain connected to the router™s USB
port if it is used as the IOS IPS configuration directory location. IOS IPS also supports any Cisco IOS file
system as its configuration location with proper write access.

a. From the R1 CLI, display the content of flash memory using the show flash command and check for
the ipsdir directory.
R1#show flash
b. If the ipsdir directory is not listed, create it in privileged EXEC mode.
R1#mkdir ipsdir
Create directory filename [ipsdir]? Press Enter
Created dir flash:ipsdir
Note: If the directory already exists, the following message displays.
%Error Creating dir flash:ipsdir (Can't create a file that exists)
c. From the R1 CLI, verify that the directory is present using the dir flash: or dir flash:ipsdir
command.
R1#dir flash:
Directory of flash:/

5 -rw- 37081324 Dec 17 2008 21:57:10 +00:00 c1841-
advipservicesk9-mz.124-20.T1.bin
6 drw- 0 Jan 6 2009 11:19:14 +00:00 ipsdir
or
R1#dir flash:ipsdir

Directory of flash:/ipsdir/

No files in directory
Note: The directory exists, but there are currently no files in it.


Task 3. Configuring the IPS Crypto Key
The crypto key verifies the digital signature for the master signature file (sigdef-default.xml). The contents are
signed by a Cisco private key to guarantee the authenticity and integrity at every release.

Note: The following instructions use Notepad as the text editor and HyperTerminal as the terminal emulation
program. Another text editor and terminal emulation program can be used.




110
Step 1: Locate and open the crypto key file.

On PC-A, locate the crypto key file named realm-cisco.pub.key.txt and open it using Notepad or another
text editor. The contents should look similar to the following:
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097ª975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7ª0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782ª5 CF31CB6E B4B094D3
F3020301 0001
quit

Step 2: Copy the contents of the text file.

From the Notepad menu bar, select Edit > Select All.

a. Select Edit > Copy (or press Ctrl+C).


Step 3: Apply the contents of the text file to the router.

At the R1 privileged EXEC prompt, enter global config mode using the config t command.

With the cursor at the R1(config)# prompt, paste the text file contents from HyperTerminal by right-clicking
and selecting Paste to Host from the context menu. Alternatively, you can select Edit > Paste to
Host from the HyperTerminal menu bar.

Exit global config mode and issue the show run command to confirm that the crypto key is configured.


Task 4. Configure IPS

Step 1: Create an IPS rule.

a. On R1, create an IPS rule name using the ip ips name name command in global configuration
mode. Name the IPS rule iosips. This will be used later on an interface to enable IPS.
R1(config)#ip ips name iosips
b. You can specify an optional extended or standard access control list (ACL) to filter the traffic that will
be scanned by this rule name. All traffic that is permitted by the ACL is subject to inspection by the IPS.
Traffic that is denied by the ACL is not inspected by the IPS.

c. To see the options available for specifying an ACL with the rule name, use the ip ips name
command and the CLI help function (?).
R1(config)#ip ips name ips list ?
<1-199> Numbered access list
WORD Named access list



111
Step 2: Configure the IPS Signature storage location in router flash memory.

The IPS files will be stored in the ipsdir directory that was created in Task 2, Step 2. Configure the location
using the ip ips config location command.
R1(config)#ip ips config location flash:ipsdir

Step 3: Enable IPS SDEE event notification.

The Cisco Security Device Event Exchange (SDEE) server is a Simple Object Access Protocol (SOAP)
based, intrusion detection system (IDS) alert format and transport protocol specification. SDEE replaces
Cisco RDEP.

To use SDEE, the HTTP server must be enabled with the ip http server command. If the HTTP server is
not enabled, the router cannot respond to the SDEE clients because it cannot see the requests. SDEE
notification is disabled by default and must be explicitly enabled.

Note: SDM Monitor uses HTTP and SDEE to capture IPS events.

To enable SDEE, use the following command.
R1(config)#ip ips notify sdee

Step 4: Enable IPS syslog support.

IOS IPS also supports the use of syslog to send event notification. SDEE and syslog can be used
independently or enabled at the same time to send IOS IPS event notification. Syslog notification is enabled
by default.

a. If logging console is enabled, you see IPS syslog messages. Enable syslog if it is not enabled.
R1(config)#ip ips notify log
Use the show clock command to verify the current time and date for the router. Use the clock
set command from privileged EXEC mode to reset the clock if necessary. The following is an
example of how to set the clock.
R1#clock set 01:20:00 6 january 2009
b. Verify that the timestamp service for logging is enabled on the router using the show run command.
Enable the timestamp service if it is not enabled.
R1(config)#service timestamps log datetime msec
c. To send log messages to the syslog server on PC-A, use the following command:
R1(config)#logging 192.168.1.3
To see the type and level of logging enabled on R1, use the show logging command.
R1#show logging
Note: Verify that you have connectivity between R1 and PC-A by pinging from PC-A to the R1 Fa0/1 interface
IP address 192.168.1.1. If it is not successful, troubleshoot as necessary before continuing.

The next step describes how to download one of the freeware syslog servers if one is not available on PC-A.




112
Step 5: (Optional) Download and start the syslog server.

If a syslog server is not currently available on PC-A, you can download the latest version of Kiwi from
http://www.kiwisyslog.com or Tftpd32 from http://tftpd32.jounin.net/. If the syslog server is available on the
PC, go to Step 6.

Note: This lab uses the Tftpd32 syslog server.

Start the syslog server software on PC-A if you want to send log messages to it.


Step 6: Configure IOS IPS to use one of the pre-defined signature categories.

IOS IPS with Cisco 5.x format signatures operates with signature categories, just like Cisco IPS appliances
do. All signatures are pre-grouped into categories, and the categories are hierarchical. This helps classify
signatures for easy grouping and tuning.

Warning: The “all” signature category contains all signatures in a signature release. Because IOS IPS cannot
compile and use all the signatures contained in a signature release at one time, do not unretire the “all”
category. Otherwise, the router will run out of memory.

Note: When configuring IOS IPS, it is required to first retire all the signatures in the “all” category and then
unretire selected signature categories.

In the following example, all signatures in the “all” category are retired, and then the “ios_ips basic” category
is unretired.
R1(config)#ip ips signature-category
R1(config-ips-category)#category all
R1(config-ips-category-action)#retired true
R1(config-ips-category-action)#exit
R1(config-ips-category)#category ios_ips basic
R1(config-ips-category-action)#retired false
R1(config-ips-category-action)#exit
R1(config-ips-category)#exit
Do you want to accept these changes? [confirm] <Enter>

Jan 6 01:32:37.983: Applying Category configuration to signatures ...

Step 7: Apply the IPS rule to an interface.

Apply the IPS rule to an interface with the ip ips name direction command in interface
configuration mode. Apply the rule you just created inbound on the S0/0/0 interface. After you enable
IPS, some log messages will be sent to the console line indicating that the IPS engines are being
initialized.

Note: The direction in means that IPS inspects only traffic going into the interface. Similarly, out
means only traffic going out the interface. To enable IPS to inspect both in and out traffic, enter the
IPS rule name for in and out separately on the same interface.
R1(config)#interface serial0/0/0
R1(config-if)#ip ips iosips in

Jan 6 03:03:30.495: %IPS-6-ENGINE_BUILDS_STARTED: 03:03:30 UTC Jan 6
2008
Jan 6 03:03:30.495: %IPS-6-ENGINE_BUILDING: atomic-ip “ 3 signatures “ 1
of 13 engines


113
Jan 6 03:03:30.511: %IPS-6-ENGINE_READY: atomic-ip “ build time 16 ms “
packets for this engine will be scanned
Jan 6 03:03:30.511: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 16 ms
The message also displays on the syslog server if it is enabled. The Tftpd32 syslog server is shown here.




Although the R1 Fa0/1 interface is an internal interface, it might be desirable to configure it with IPS to
respond to internal attacks. Apply the IPS rule to the R1 Fa0/1 interface in the inbound direction.
R1(config)#interface fa0/1
R1(config-if)#ip ips iosips in

Step 8: Save the running configuration.

Enter privileged EXEC mode using the enable command and provide the enable password cisco12345.
R1#copy run start

Task 5. Load the IOS IPS Signature Package to the Router
The most common way to load the signature package to the router is to use TFTP. Refer to Step 4 for
alternative methods for loading the IOS IPS Signature package. The alternative methods include the use
of FTP and a USB flash drive.


Step 1: (Optional) Download the TFTP server.

The Tftpd32 freeware TFTP server is used in this task. Many other free TFTP servers are also available. If a
TFTP server is not currently available on PC-A, you can download the latest version of Tftpd32 from
http://tftpd32.jounin.net/. If it is already installed, go to Step 2.

Note: This lab uses the Tftpd32 TFTP server. This software also includes a syslog server, which runs
simultaneously with the TFTP server.




114
Step 2: Start the TFTP server on PC-A and verify the IPS file directory.

a. Verify connectivity between R1 and PC-A, the TFTP server, using the ping command.

b. Verify that the PC has the IPS Signature package file in a directory on the TFTP server. This file is
typically named IOS-Sxxx-CLI.pkg, where xxx is the signature file version.

Note: If this file is not present, contact your instructor before continuing.

c. Start Tftpd32 or another TFTP server and set the default directory to the one with the IPS Signature
package in it. The Tftpd32 screen is shown here with the C:\Program Files\Tftpd32\IPS directory contents
displayed. Take note of the filename for use in the next step.

d. What is the name of the signature file? _________________________________________________




Step 3: Copy the signature package from the TFTP server to the router.

If you do not have a TFTP server available and are using a router with a USB port, you can go to Step 5 and
use the procedure described there.

a. Use the copy tftp command to retrieve the signature file. Be sure to use the idconf keyword at
the end of the copy command.

Note: Immediately after the signature package is loaded to the router, signature compiling begins.
You can see the messages on the router with logging level 6 or above enabled.
R1#copy tftp://192.168.1.3/IOS-S364-CLI.pkg idconf

Loading IOS-S364-CLI.pkg from 192.168.1.3 (via FastEthernet0/1):
!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK “ 6654646 bytes]




115
Jan 6 03:18:36.799: %IPS-6-ENGINE_BUILDS_STARTED: 03:18:36 UTC Jan 6
2008
Jan 6 03:18:36.799: %IPS-6-ENGINE_BUILDING: multi-string “ 8
signatures “ 1 of 13 engines
Jan 6 03:18:36.811: %IPS-6-ENGINE_READY: multi-string “ build time 12
ms “ packets for this engine will be scanned
Jan 6 03:18:36.831: %IPS-6-ENGINE_BUILDING: service-http “ 629
signatures “ 2 of 13 engines
Jan 6 03:18:46.755: %IPS-6-ENGINE_READY: service-http “ build time
9924 ms “ packets for this engine will be scanned
<Output omitted>
b. Use the dir flash command to see the contents of the ipsdir directory created earlier. There should
be six files as shown here.
R1#dir flash:ipsdir
Directory of flash:/ipsdir/

16 -rw- 230621 Jan 6 2008 03:19:42 +00:00 R1-sigdef-default.xml
15 -rw- 255 Jan 6 2008 01:35:26 +00:00 R1-sigdef-delta.xml
14 -rw- 6632 Jan 6 2008 03:17:48 +00:00 R1-sigdef-typedef.xml
13 -rw- 28282 Jan 6 2008 03:17:52 +00:00 R1-sigdef-category.xml
10 -rw- 304 Jan 6 2008 01:35:28 +00:00 R1-seap-delta.xml
18 -rw- 491 Jan 6 2008 01:35:28 +00:00 R1-seap-typedef.xml

Step 4: Verify that the signature package is properly compiled.

a. Use the show ip ips signature count command to see the counts for the signature package
compiled.
R1#show ip ips signature count

Cisco SDF release version S364.0
Trend SDF release version V0.0

Signature Micro-Engine: multi-string: Total Signatures 11
multi-string enabled signatures: 9
multi-string retired signatures: 11

Signature Micro-Engine: service-http: Total Signatures 662
service-http enabled signatures: 163
service-http retired signatures: 565
service-http compiled signatures: 97
service-http obsoleted signatures: 1

Signature Micro-Engine: string-tcp: Total Signatures 1148
string-tcp enabled signatures: 622
string-tcp retired signatures: 1031
string-tcp compiled signatures: 117
string-tcp obsoleted signatures: 21

<Output Omitted>

Total Signatures: 2435
Total Enabled Signatures: 1063
Total Retired Signatures: 2097
Total Compiled Signatures: 338
Total Obsoleted Signatures: 25


116
Note: If you see an error message during signature compilation, such as “%IPS-3-
INVALID_DIGITAL_SIGNATURE: Invalid Digital Signature found (key not found),” it means the public
crypto key is invalid. Refer to Task 3, Configuring the IOS IPS Crypto Key, to reconfigure the public
crypto key.

b. Use the show ip ips all command to see an IPS configuration status summary. To which
interfaces and in which direction is the iosips rule applied? _______________________________
R1#show ip ips all

IPS Signature File Configuration Status
Configured Config Locations: flash:ipsdir/
Last signature default load time: 18:47:52 UTC Jan 6 2009
Last signature delta load time: 20:11:35 UTC Jan 6 2009
Last event action (SEAP) load time: -none-

General SEAP Config:
Global Deny Timeout: 3600 seconds
Global Overrides Status: Enabled
Global Filters Status: Enabled

IPS Auto Update is not currently configured

IPS Syslog and SDEE Notification Status
Event notification through syslog is enabled
Event notification through SDEE is enabled

IPS Signature Status
Total Active Signatures: 339
Total Inactive Signatures: 2096

IPS Packet Scanning and Interface Status
IPS Rule Configuration
IPS name iosips
IPS fail closed is disabled
IPS deny-action ips-interface is false
Interface Configuration
Interface Serial0/0/0
Inbound IPS rule is iosips
Outgoing IPS rule is not set
Interface FastEthernet0/1
Inbound IPS rule is iosips
Outgoing IPS rule is not set

IPS Category CLI Configuration:
Category all:
Retire: True
Category ios_ips basic:
Retire: False

Step 5: (Optional) Alternative methods of copying the signature package to the router.

If you used TFTP to copy the file and do not intend to use one of these alternative methods, read through the
procedures described here to become familiar with them. If you use one of these methods instead of TFTP,
return to Step 4 to verify that the signature package loaded properly.




117
FTP method: Although the TFTP method is generally adequate, the signature file is rather large and FTP
provides a more positive method of copying the file. You can use an FTP server to copy the signature file to
the router with this command:

copy ftp://<ftp_user:password@Server_IP_address>/<signature_package> idconf

In the following example, the user admin must be defined on the FTP server with
a password of cisco.
R1#copy ftp://admin:cisco@192.168.1.3/IOS-S364-CLI.pkg idconf
Loading IOS-S364-CLI.pkg !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 7608873/4096 bytes]
USB method: If there is no access to a FTP or TFTP server, you can use a USB flash drive to load the
signature package to the router.

a. Copy the signature package onto the USB drive.

b. Connect the USB drive to one of the USB ports on the router.

c. Use the show file systems command to see the name of the USB drive. In the following output, a
4GB USB drive is connected to the USB port on the router as file system usbflash0:.
R1#show file systems
File Systems:

Size(b) Free(b) Type Flags Prefixes
- - opaque rw archive:
- - opaque rw system:
- - opaque rw tmpsys:
- - opaque rw null:
- - network rw tftp:
196600 185972 nvram rw nvram:
* 64012288 14811136 disk rw flash:#
- - opaque wo syslog:
- - opaque rw xmodem:
- - opaque rw ymodem:
- - network rw rcp:
- - network rw pram:
- - network rw http:
- - network rw ftp:
- - network rw scp:
- - opaque ro tar:
- - network rw https:
- - opaque ro cns:
4001378304 3807461376 usbflash rw usbflash0:
d. Verify the contents of the flash drive using the dir command.
R1#dir usbflash0:
Directory of usbflash0:/
90 -rw- 6654646 Jan 5 2009 14:49:34 +00:00 IOS-S364-CLI.pkg
91 -rw- 805 Jan 5 2009 14:49:34 +00:00 realm-cisco.pub.key.txt
e. Use the copy command with the idconf keyword to copy the signature package to the router.
R1#copy usbflash0:IOS-S364-CLI.pkg idconf
The USB copy process can take 60 seconds or more, and no progress indicator is displayed. When
the copy process is completed, numerous engine building messages display. These must finish
before the command prompt returns.

118
Task 6. Test the IPS Rule and Modify a Signature
You can work with signatures in many ways. They can be retired and unretired, enabled and disabled, and
their characteristics and actions can be changed. In this task, you first test the default behavior of IOS IPS by
pinging it from the outside.


Step 1: Ping from R2 to the R1 serial 0/0/0 interface.

From the CLI on R2, ping R1 S0/0/0 at IP address 10.1.1.1. The pings are successful because the ICMP
Echo Request signature 2004:0 is retired.


Step 2: Ping from R2 to PC-A.

From the CLI on R2, ping PC-A at IP address 192.168.1.3. These pings are also successful because of
the retired signature. This is the default behavior of the IPS Signatures.
R2#ping 192.168.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Step 3: Modify the signature.

You can use Cisco IOS CLI to change signature status and actions for one signature or a group of signatures
based on signature categories.

The following example shows how to un-retire the echo request signature, enable it, change the signature
action to alert, and drop and reset for signature 2004 with a subsig ID of 0.
R1(config)#ip ips signature-definition
R1(config-sigdef)#signature 2004 0
R1(config-sigdef-sig)#status
R1(config-sigdef-sig-status)#retired false
R1(config-sigdef-sig-status)#enabled true
R1(config-sigdef-sig-status)#engine
R1(config-sigdef-sig-engine)#event-action produce-alert
R1(config-sigdef-sig-engine)#event-action deny-packet-inline
R1(config-sigdef-sig-engine)#event-action reset-tcp-connection
R1(config-sigdef-sig-engine)#exit
R1(config-sigdef-sig)#exit
R1(config-sigdef)#exit
Do you want to accept these changes? [confirm] <Enter>

*Jan 6 19:36:56.459: %IPS-6-ENGINE_BUILDS_STARTED: 19:36:56 UTC Jan 6 2009
*Jan 6 19:36:56.891: %IPS-6-ENGINE_BUILDING: atomic-ip - 306 signatures - 1
of 13 engines
*Jan 6 19:36:57.599: %IPS-6-ENGINE_READY: atomic-ip - build time 704 ms -
packets for this engine will be scanned
*Jan 6 19:36:57.979: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 1520 ms

Step 4: Ping from R2 to R1 serial 0/0/0 interface.

a. Start the syslog server.



119
b. From the CLI on R2 ping R1 S0/0/0 at IP address 10.1.1.1. Where the pings successful? Why or why
not? ___________________________________________________________________________


Step 5: Ping from R2 to PC-A.

a. From the CLI on R2, ping R1 S0/0/0 at IP address 192.168.1.3. Were the pings successful?
_______________________________________________________________________________

R2#ping 192.168.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
b. Notice the IPS messages from R1 on the syslog server screen below. How many messages were
generated from the R2 pings to R1 and PC-A? ________________________________________




Note: The ICMP echo request IPS risk rating (severity level) is relatively low at 25. Risk rating can range from
0 to 100.


Task 7. (Optional) Test IPS with SuperScan
SuperScan is a freeware scanning tool that runs with Windows XP. It can detect open TCP and UDP ports on
a target host. If the SuperScan program is available on PC-A or can be downloaded, you can perform this
task.

SuperScan will test the IPS capabilities on R1. You will run the scanning program from PC-A and attempt to
scan open ports on router R2. The IPS rule iosips, which is set on R1 F0/1 inbound, should intercept the
scanning attempts and send messages to the R1 console and syslog server.


Step 1: Download the SuperScan program.

a. If SuperScan is not on PC-A, download the SuperScan 4.0 tool from the Scanning Tools group at
http://www.foundstone.com.



120
b. Unzip the file into a folder. The SuperScan4.exe file is executable and installation is not required.

<<

. 4
( 9)



>>