Re: IPS not shunning on PIX

wasiimcisco · ‎03-09-2008

I have IPS 4255. I wanted to configure it so that it can shun the attack that comes on pix firewall. I have made the device profile and add firewall in blocking devices. I have given all the parameters for telnet and even i try with ssh. But still i am not able to do the shunning on firewall. Though same IPS is able to block attack for routers. But not working with firewall.

In IPS static i see the following

section NetDevice

Type PIX

IP 172.28.95.2

NATAddr 0.0.0.0

Communications telnet

ResponseCapabilities block

section NeverBlock

IP 172.28.92.50

IP x.219.212.220

section State

BlockEnable true

section NetDevice

IP 172.28.95.2

AclSupport Does not use ACLs

Version 0

State Inactive

Firewall-type PIX

Please help me out.

rhermes · ‎03-13-2008

If you can run a sniffer such as Ethereal/Wireshark between your 4255 and PIX you can watch the telnet session with the "follow session" option on your sniffer. This will give you a great indication what is going on between those two devices.

jlively · ‎03-17-2008

The best indication of what is wrong is usually in the event store. If you do a show events from the cli, and then stop/start blocking ( either from idm or another cli session), you should see arc connecting to all it's devices. Any connection issues should produce an error message. (Note: stopping and starting Arc forces the reconnects. You could always just watch the event store as Arc will periodically try to connect to the device).