5.4.1.2 Packet Tracer - Configure IOS Intrusion Prevention System (IPS) Using CLI

Packet Tracer - Configure IOS Intrusion Prevention System (IPS) Using the CLI Topology Addressing Table Device Interface IP Address Subnet Mask Default Gateway Switch Port R1 G0/1 192.168.1.1 255.255.255.0 N/A S1 F0/1 S0/0/0 10.1.1.1 255.255.255.252 N/A N/A R2 S0/0/0 (DCE) 10.1.1.2 255.255.255.252 N/A N/A S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A R3 G0/1 192.168.3.1 255.255.255.0 N/A S3 F0/1 S0/0/0 10.2.2.1 255.255.255.252 N/A N/A Syslog NIC 192.168.1.50 255.255.255.0 192.168.1.1 S1 F0/2 PC-A NIC 192.168.1.2 255.255.255.0 192.168.1.1 S1 F0/3 PC-C NIC 192.168.3.2 255.255.255.0 192.168.3.1 S3 F0/2 Objectives  Enable IOS IPS.  Configure logging.  Modify an IPS signature.  Verify IPS. Background / Scenario Your task is to enable IPS on R1 to scan traffic entering the 192.168.1.0 network. The server labeled Syslog is used to log IPS messages. You must configure the router to identify the syslog server to receive logging messages. Displaying the correct time and date in syslog messages is vital when using syslog to monitor the network. Set the clock and configure the timestamp service for logging on the routers. Finally, enable IPS to produce an alert and drop ICMP echo reply packets inline. The server and PCs have been preconfigured. The routers have also been preconfigured with the following: © 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 6

Packet Tracer - Configure IOS Intrusion Prevention System (IPS) using CLI o Enable password: ciscoenpa55 o Console password: ciscoconpa55 o SSH username and password: SSHadmin / ciscosshpa55 o OSPF 101 Part 1: Enable IOS IPS Note : Within Packet Tracer, the routers already have the signature files imported and in place. They are the default xml files in flash. For this reason, it is not necessary to configure the public crypto key and complete a manual import of the signature files. Step 1: Enable the Security Technology package. a. On R1 , issue the show version command to view the Technology Package license information. b. If the Security Technology package has not been enabled, use the following command to enable the package. R1(config)# license boot module c1900 technology-package securityk9 c. Accept the end user license agreement. d. Save the running-config and reload the router to enable the security license. e. Verify that the Security Technology package has been enabled by using the show version command. Step 2: Verify network connectivity. a. Ping from PC-C to PC-A . The ping should be successful. b. Ping from PC-A to PC-C . The ping should be successful. Step 3: Create an IOS IPS configuration directory in flash. On R1 , create a directory in flash using the mkdir command. Name the directory ipsdir . R1# mkdir ipsdir Create directory filename [ipsdir]? <Enter> Created dir flash:ipsdir Step 4: Configure the IPS signature storage location. On R1 , configure the IPS signature storage location to be the directory you just created. R1(config)# ip ips config location flash:ipsdir Step 5: Create an IPS rule. On R1 , create an IPS rule name using the ip ips name name command in global configuration mode. Name the IPS rule iosips . R1(config)# ip ips name iosips © 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 6

Packet Tracer - Configure IOS Intrusion Prevention System (IPS) using CLI Part 2: Modify the Signature Step 1: Change the event-action of a signature. Un-retire the echo request signature (signature 2004, subsig ID 0), enable it, and change the signature action to alert and drop. R1(config)# ip ips signature-definition R1(config-sigdef)# signature 2004 0 R1(config-sigdef-sig)# status R1(config-sigdef-sig-status)# retired false R1(config-sigdef-sig-status)# enabled true R1(config-sigdef-sig-status)# exit R1(config-sigdef-sig)# engine R1(config-sigdef-sig-engine)# event-action produce-alert R1(config-sigdef-sig-engine)# event-action deny-packet-inline R1(config-sigdef-sig-engine)# exit R1(config-sigdef-sig)# exit R1(config-sigdef)# exit Do you want to accept these changes? [confirm] <Enter> Step 2: Use show commands to verify IPS. Use the show ip ips all command to view the IPS configuration status summary. To which interfaces and in which direction is the iosips rule applied? G0/1 outbound _______________________________________________________________________________________ Step 3: Verify that IPS is working properly. a. From PC-C , attempt to ping PC-A . Were the pings successful? Explain. The pings should fail. This is because the IPS rule for event-action of an echo request was set to “denypacket-inline”. ____________________________________________________________________________________ ____________________________________________________________________________________ b. From PC-A , attempt to ping PC-C . Were the pings successful? Explain. © 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 6

Packet Tracer - Configure IOS Intrusion Prevention System (IPS) using CLI The ping should be successful. This is because the IPS rule does not cover echo reply. When PC-A pings PC-C, PC-C responds with an echo reply. ____________________________________________________________________________________ ____________________________________________________________________________________ Step 4: View the syslog messages. a. Click the Syslog server. b. Select the Services tab. c. In the left navigation menu, select SYSLOG to view the log file. Step 5: Check results. Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed. config t license boot module c1900 technology-package securityk9 yes end reload config t ip ips config location flash:ipsdir ip ips name iosips ip ips notify log service timestamps log datetime msec logging host 192.168.1.50 ip ips signature-category category all retired true exit © 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 6