problem with idm configuration on aaa

hi am i am woroking on the ips section where i have configured the ids to allow https access from aaa.

with proper access-list permitting the aaa ip address for management and have reachability from the aaa to the ids.

but i am unable to to open the gui of the ids.

but when i do it by the test pc which is in the same vlan of the ids it works perfectly.

did anyone face the same problem and what is the solution with it.

my configs are exactly same as per the solution guide.but nothing is working.

waiting for some help.




  • Couple of things:

    1) Are you sure you have the 'same-security-traffic permit intra-interface' on the PIX?
    2) On R1 do you have a static route pointing to the PIX for the IPS management IP?

    Let me know.

  • hi mate thanks for ur reply.

    no i have not added a specific route for the ids on r1 as they are in same vlan.

    cause i am ping from the ids to the aaa and even trace works fine but only idm is not opening.

    but what difference will it make anyway as r1 and the ids are in same vlan.

    is it necessary for the ids to receive the traffic from the pix only as the traffic is send towards the pix.

    anyways i will try out as u said.

    will update u in a few hours.

    thanks for ur quick response.

    i guess only u and earl are active members on this forum.


  • Hey Sebastan,

    Ya, I don't think there are too many active people doing the security track in this forum so we will keep each other straight. =) You need to have the static host route on R1 for the IDS pointing to the PIX or else you will route traffic asymetrically to and from the IDS since the IDS's default gateway is the PIX. If R1 sends traffic directly to the IDS, then the PIX will drop the return traffic due to no connection state from said connection. I hope that fixes your problem.

  • hi mate thanks a lot it really worked man.

    one thing i really didn;t know that when the pix is forwarding the traffic out of the same interface it would maintain a connection table.

    that;s really great cause i never found that in the documentation.
    nor in the solution guide.

    thanks for coming to my rescue man.

    yeah we will surely work together man. it will be fun solving issues in the lab and getting things worked out.

    by the way when is ur lab. my lab is scheduled in november.

    see ya

  • mate one more query abt the ips section is that creating the custom signature for the password string in telnet connection.

    i did my config as per the solution but the signature never fired.

    when we are monitoring the a source vlan the vlan between the pix outside and the vpn public. the direction of span can only be set to rx right.

    now i have read in the documentation that traffic routed from another vlan can never be monitoring with span monitoring a vlan.

    my doubt is in the verification for the password string is that user telnets to the vpn 3005 public interface.

    now the user is on vlan 19 and the vpn in vlan 119 so will the span actually monitor the traffic going from vlan 19 to vlan 119.

    i guess that;s the reason my ids is not firing the signature.

    how did u get it working.

    waiting for ur reply.


  • Glad to hear it worked!

    For the IPS question, I set the SPAN to both per the default and then set the signature direction within the IPS configuration. I am not in front of an IPS right now to spell that out more clear so I apologize and let me know if that doesn't make sense. For me, I would always set the span to include both and then manupilate it within the IPS signature IF required to do so and IF they state to not explicitly enable both on the SPAN.

    I took the lab back in August and missed it by 5%, but I wasn't ready. My advice to you: DO NOT GO TAKE IT if you haven't finished all these labs! I am taking it again on Monday, and I have been through these labs twice now and almost a 3rd time - they are so good! Wish me luck and I will let you know how it goes brother.

  • hi mate thanks for ur reply

    i guess i will have to try it by using both by monitoring both the interfaces individually and setting the direction to both.
    cause even in the solution also they are doing source vlan.

    hey man best of luck for ur lab on monday all my best wishes to u mate. i am sure u will crack this time.

    yeah this is my first practise of the lab. my labs is in november. in october i will doing the lab once again.

    doing the labs twice is really necessary. i mean are these labs very similar to what u get in real labs.

    yeah do let me know how the lab goes. all my best wishes to u .

    best regards

  • Hi Guys,

    Nick did you pass you lab on the 2nd attempt?

    I have recently started the going through the labs and I am finding them tough going, alot of new stuff.

    Have either of you attended the Security bootcamp or planning to go on the bootcamp, and if you have already attended what are your thoughts...

  • Hi Steel,

    Yes, I passed on the 2nd attempt after going through all the Internetworkexpert labs almost 3 times. So my advice to you is to go through them as many times as you can until you no longer need the solutions guide at all.

    Good luck!

  • Nick,

    Congratulations on passing your lab!

    What period of time did you do the labs over i.e. 2 months, and how much time did you dedicate to completing a lab i.e. every evening & weekend

    Cheers Ian..
Sign In or Register to comment.