10-09-2013 03:51 AM - edited 03-10-2019 06:04 AM
Hi,
I'm trying to configure remote blocking on one router interface. I added: ‘device login profile’, ‘blocking device’ and ‘router blocking device interfaces’. I see the IPS established connection with the router:
Extended IP access list IDS_FastEthernet0/1_in_0
10 permit ip host 10.0.10.15 any
20 permit ip any any (311041 matches)
And then I tried ping/udp flood and no one from these attacks are seeing under Monitor->Events (I enabled ‘show attack response controller events’).
When the traffic is going through IPS everything is logged properly; the problem is only with remote device (ARC). Are there any requirements which I missed?
Rack1IPS# show statistics network-access
Current Configuration
LogAllBlockEventsAndSensors = true
EnableNvramWrite = false
EnableAclLogging = false
AllowSensorBlock = false
BlockMaxEntries = 250
MaxDeviceInterfaces = 250
NetDevice
Type = Cisco
IP = 150.50.0.1
NATAddr = 0.0.0.0
Communications = telnet
ResponseCapabilities = block
BlockInterface
InterfaceName = FastEthernet0/1
InterfaceDirection = in
InterfacePostBlock = POST-ACL
State
BlockEnable = true
NetDevice
IP = 150.50.0.1
AclSupport = uses Named ACLs
Version = 0
State = Inactive
Rack1IPS#
I tried also with post-acl but the results is the same.
Regards
Hubert
10-09-2013 10:00 PM
Hello Hubert,
Have you enable the following actions on the signatures you are trying to fire
Request block host
or
Request block connection
?
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
10-16-2013 12:57 PM
Hello Julio,
yes, I defiened these actions and I added 'log' to see the traffic, but no luck.
Thanks
Hubert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide