10-05-2011 05:37 AM - edited 03-10-2019 05:30 AM
The situation is the following:
IPS device - IPS4260 7.0(6)E4
ARC device - 6500 IOS 12.2(33)SXI5
6500 has 2 Internet connections - vlan2 and vlan11 are according L3 interfaces.
IPS works in promiscious mode, traffic captured using VACL capture on vlan2 and vlan11.
the servers which must be protected are in vlan 8, i need to setup outgoing block ACL on Vlan8 L3 interface.
I have two problems wiht this configurtion:
1)IPS didnot enter blocked hosts and connections into the ACL. I see that the ACL on intreface is regualrly changed from IDS_Vlan8_out_1 to IDS_Vlan8_out_0, but no block entries are added .
2)if I to try read running config i regularly got the warning that the configration is not accesible.
How often the IPS shoudl change the block ACls?
Why it doesn't add the Block entries?
Thanks for any clue
10-05-2011 11:11 AM
You need to specify the 6500 as a "router" device in your IPS Sensor.
The IPS will change the ACL in your 6500 twice for each signature that has the action set to "Request Block" that fires.
The first ACL change will block the host IP address, then 15 min later the host will be unblocked (it may be 30 min, I forget exactly). The function of the two ACLs is so that the sensor can have a "scratch" ACL to write then swap it out with the applied ACL.
To see an entry in your ACL you need to either have an existing signature set to block fire, or edit a signature to block and then hit that signature. (a custom TCP sig with a known text string works nicely).
- Bob
10-06-2011 01:41 AM
Bob, it's already done.
-the 6500 is configured as IOS block device
-there are signatures with block host event rules
-there are blocked hosts in the IPS
I just discovered that there are errors in the log
-----------------------------------------
ips4260-1# sh events error | include : nac
evError: eventId=1317178506899167905 severity=error vendor=Cisco
originator:
hostId: ips4260-1
appName: nac
appInstanceId: 28636
time: 2011/10/06 08:19:10 2011/10/06 09:14:10 EST
errorMessage: name=errSystemError Established a connection to IP [10.1.1.100]
---------------------------------------------
Is it possible that the problem is connected to the fact that the 6500 config is quite big ?
10-06-2011 01:51 PM
Acording to your error log, the IPS sensor is not logging into the 6500 sucessfully.
You need to add the 6500's ssh key into your IPS sensor (at the command prompt)
ssh host-key 10.1.1.100
You need to define the 6500 and how you will talk to it (I think you've done this, in the configuration):
router-devices 10.1.1.100
communication ssh
And you need to set shunning in the config:
conf t
service network-access
general
block-enable true
exit
user-profiles 6500
username cisco
(config-net-use)# password
Enter password[]: *********
Re-enter password: *********
config-net-use)# enable-password
Enter enable-password[]: *********
Re-enter enable-password: *********
exit
exit
[yes]
conf t
service network-access
general
block-enable true
exit
router-devices 10.1.1.100
communication SSH-3des
profile-name 6500
block-interfaces vlan8 out
exit
exit
exit
[yes]
10-07-2011 02:52 AM
It's all already done - i have tested using telnet and SSH.
I think that IPS sucesfully connects to 6513 as the ACLapplied to Vlan8 is continiously changed between
interface Vlan8
ip access-group IDS_Vlan8_out_0 out
and
interface Vlan8
ip access-group IDS_Vlan8_out_1 out
Also the error :
------------------------------------
evError: eventId=1317178506899193520 severity=error vendor=Cisco
originator:
hostId: ips4260-1
appName: nac
appInstanceId: 26677
time: 2011/10/07 09:40:51 2011/10/07 10:35:51 EST
errorMessage: name=errSystemError Established a connection to IP [10.1.1.100]
-------------------------------------
looks like informing normal conenction
I tried to use incorrect passwords and gor differnt errors
-----------------------------------------------------
evError: eventId=1317178506899193550 severity=error vendor=Cisco
originator:
hostId: ips4260-1
appName: nac
appInstanceId: 27022
time: 2011/10/07 09:43:10 2011/10/07 10:38:10 EST
errorMessage: name=errSystemError ERROR: Wrong username/password for net device [10.1.1.100]
evError: eventId=1317178506899193691 severity=error vendor=Cisco
originator:
hostId: ips4260-1
appName: nac
appInstanceId: 27485
time: 2011/10/07 09:48:13 2011/10/07 10:43:13 EST
errorMessage: name=errSystemError Bad enable password for device [10.1.1.100]
-------------------------------------------------------
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide