ACL block entries are not added in 6500 IOS switch by IPS ARC

vlad_ezh · ‎10-05-2011

The situation is the following:

IPS device - IPS4260 7.0(6)E4

ARC device - 6500 IOS 12.2(33)SXI5

6500 has 2 Internet connections - vlan2 and vlan11 are according L3 interfaces.

IPS works in promiscious mode, traffic captured using VACL capture on vlan2 and vlan11.

the servers which must be protected are in vlan 8, i need to setup outgoing block ACL on Vlan8 L3 interface.

I have two problems wiht this configurtion:

1)IPS didnot enter blocked hosts and connections into the ACL. I see that the ACL on intreface is regualrly changed from IDS_Vlan8_out_1 to IDS_Vlan8_out_0, but no block entries are added .

2)if I to try read running config i regularly got the warning that the configration is not accesible.

How often the IPS shoudl change the block ACls?

Why it doesn't add the Block entries?

Thanks for any clue

rhermes · ‎10-05-2011

You need to specify the 6500 as a "router" device in your IPS Sensor.

The IPS will change the ACL in your 6500 twice for each signature that has the action set to "Request Block" that fires.

The first ACL change will block the host IP address, then 15 min later the host will be unblocked (it may be 30 min, I forget exactly). The function of the two ACLs is so that the sensor can have a "scratch" ACL to write then swap it out with the applied ACL.

To see an entry in your ACL you need to either have an existing signature set to block fire, or edit a signature to block and then hit that signature. (a custom TCP sig with a known text string works nicely).

- Bob

vlad_ezh · ‎10-06-2011

Bob, it's already done.

-the 6500 is configured as IOS block device

-there are signatures with block host event rules

-there are blocked hosts in the IPS

I just discovered that there are errors in the log

-----------------------------------------

ips4260-1# sh events error | include : nac

evError: eventId=1317178506899167905 severity=error vendor=Cisco
originator:
hostId: ips4260-1
appName: nac
appInstanceId: 28636
time: 2011/10/06 08:19:10 2011/10/06 09:14:10 EST
errorMessage: name=errSystemError Established a connection to IP [10.1.1.100]

---------------------------------------------

Is it possible that the problem is connected to the fact that the 6500 config is quite big ?

rhermes · ‎10-06-2011

Acording to your error log, the IPS sensor is not logging into the 6500 sucessfully.

You need to add the 6500's ssh key into your IPS sensor (at the command prompt)

ssh host-key 10.1.1.100

You need to define the 6500 and how you will talk to it (I think you've done this, in the configuration):

router-devices 10.1.1.100

communication ssh

And you need to set shunning in the config:

conf t

service network-access

general

block-enable true

exit

user-profiles 6500

username cisco

(config-net-use)# password

Enter password[]: *********

Re-enter password: *********

config-net-use)# enable-password

Enter enable-password[]: *********

Re-enter enable-password: *********

exit

[yes]

conf t

service network-access

general

block-enable true

exit

router-devices 10.1.1.100

communication SSH-3des

profile-name 6500

block-interfaces vlan8 out

exit

[yes]

vlad_ezh · ‎10-07-2011

It's all already done - i have tested using telnet and SSH.

I think that IPS sucesfully connects to 6513 as the ACLapplied to Vlan8 is continiously changed between

interface Vlan8

ip access-group IDS_Vlan8_out_0 out

and

interface Vlan8

ip access-group IDS_Vlan8_out_1 out

Also the error :

------------------------------------

evError: eventId=1317178506899193520 severity=error vendor=Cisco
originator:
    hostId: ips4260-1
    appName: nac
    appInstanceId: 26677
time: 2011/10/07 09:40:51 2011/10/07 10:35:51 EST
errorMessage: name=errSystemError Established a connection to IP [10.1.1.100]

-------------------------------------

looks like informing normal conenction

I tried to use incorrect passwords and gor differnt errors

-----------------------------------------------------

evError: eventId=1317178506899193550 severity=error vendor=Cisco

originator:

hostId: ips4260-1

appName: nac

appInstanceId: 27022

time: 2011/10/07 09:43:10 2011/10/07 10:38:10 EST

errorMessage: name=errSystemError ERROR: Wrong username/password for net device [10.1.1.100]

evError: eventId=1317178506899193691 severity=error vendor=Cisco
originator:
    hostId: ips4260-1
    appName: nac
    appInstanceId: 27485
time: 2011/10/07 09:48:13 2011/10/07 10:43:13 EST
errorMessage: name=errSystemError Bad enable password for device [10.1.1.100]

-------------------------------------------------------