Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
5
Helpful
2
Replies

Blocking

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎08-18-2006 06:37 AM - edited ‎03-10-2019 03:10 AM

I have a 4215 with its monitoring interface plugged in to a hub, which is connected to the dmz interface, and the hub then uplinks to a switch to extend the amount of ports available on the DMZ. I have configured a signature to perform blocking, but when it tries to telnet to the PIX to perfrom the shun, the ACL prohibits the connection. I get a syslog message:

Aug 18 2006 10:31:12: %PIX-3-710003: TCP access denied by ACL from 10.4.0.3/34986 to inside:10.4.0.2/23

Those addresses are the inside addresses of the IPS and the PIX. I think the "ACL" is the default ACL since I don't have any access lists configured on the PIXs inside interface. I tried using NAT to correct this so that maybe the access list I have configured on the DMZ could be adjusted, but so far no luck. I don't want to configure an access list on the inside. I want to stick with the default ACL there. Does anyone have any ideas?

thank you,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
wsulym
Cisco Employee
Cisco Employee

‎08-18-2006 08:31 AM

Sounds like the pix isn't config'd to allow telnet from the IPS.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ae.html#wp1025921

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#wp1058145

Been a while since I've poked at the pix, but I think that you might not have explicitly allowed the IPS telnet access to it. I know these are links to 6.x commands, but I believe that pix 7.x is similar in cli structure.

Hope that helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jwalker
Level 3
Level 3

‎08-18-2006 08:27 AM

You likely need to allow telnet access from the sensor to the PIX inside interface (assumming the sensor's command and control interface is on the inside). The command to execute on the PIX is below:

telnet 10.4.0.3 255.255.255.255 inside

I would recommend you use SSH, though. To setup SSH, you would have to enable SSH on the firewall from the sensor. Then, download the PIX's key to the sensor (there is a quick tool in IDM for this).

Here's the command to enable SSH on the PIX from the sensor..

ssh 10.4.0.3 255.255.255.255 inside

Please rate me if this helps. Thanks.

Go to solution
wsulym
Cisco Employee
Cisco Employee

‎08-18-2006 08:31 AM

Sounds like the pix isn't config'd to allow telnet from the IPS.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ae.html#wp1025921

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#wp1058145

Been a while since I've poked at the pix, but I think that you might not have explicitly allowed the IPS telnet access to it. I know these are links to 6.x commands, but I believe that pix 7.x is similar in cli structure.

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card