cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
692
Views
0
Helpful
10
Replies

IPS unable to Block

wasiimcisco
Level 1
Level 1

I have IPS 4255, I have made a Service HTTP signature to block metacafe.

I have configured the block device for PIX Firewall. Signature triggers when i open www.metacafe.com i can see the user IP in active blocking hosts and also in IP logging but still i m not able to block/shun the users.

I select all actions in signature definiation.

-----Network Access Statistics-----

section Current Configuration

LogAllBlockEventsAndSensors true

EnableNvramWrite false

EnableAclLogging false

AllowSensorBlock false

BlockMaxEntries 250

MaxDeviceInterfaces 250

section NetDevice

Type PIX

IP 172.28.31.68

NATAddr 0.0.0.0

Communications ssh-3des

ResponseCapabilities block

section NeverBlock

IP 172.28.92.72

IP 172.28.31.0

IP 192.168.249.0

IP 192.168.250.0

section State

BlockEnable true

section NetDevice

IP 172.28.31.68

AclSupport Does not use ACLs

Version 0

State Inactive

Firewall-type PIX

Please help me out what i m missing.

10 Replies 10

Farrukh Haroon
VIP Alumni
VIP Alumni

Did you allow the sensor IP on the PIX for SSH?

ssh interface ?

Did you add the PIX as a trusted host on the sensor?

Is the SSH even working on the PIX from other hosts?

Double check your PIX credentials.

Login to PIX and issue a 'who' command to see if the IPS is logged in.

Regards

Farrukh

Thanks for the reply,

My firewall is configured for AAA. I gave the same credential in IPS blocking devices that i m using for myself.

SSH is allowed on firewall for any IP.

IPS also has any ip to trusted hosts.

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

IPS allowed host

telnet-option enabled

access-list 172.28.0.0/16

IPs only able to push access-list on router but not able to shun pix firewall.

"IPS also has any ip to trusted hosts. " this is not possible you have to do it manually.

I am talking about adding the SSH key of the PIX in the IPS.

http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp553621

Go to the IPS CLI and issue the following command:

ssh host-key

Regards

Farrukh

I have tried even this, but still the problem is there,

I am attaching the screen shot, I am not able to configure block action, the tab is not highlighted.

why it is so, may be this is the reason.?????

Have you enabled blocking globally?

Blocking >> Blocking Properties

Regards

Farrukh

yes blocking is globally enabled. IPs able to write access-list on routers but not able to shun pix firewall.

Please enable the block action on any common signature like ICMP echo (2004) and then check the event log of the IPS. It will tell you why the shun is failing. Also login to the firewall and do a 'who' command during this test to see if the IPS logs in. Do 'terminal monitor' and 'logging monitor 6' on firewall to see any denies etc.

Regards

Farrukh

I am not able to configure firewall shun in cisco IPS, The option of blocking is disable in IPS for Firewall.

See the attachement. Please help me out how to do this.

IPS is only able to block the routers but not firewall

When i view the log on IPS, it shows me the following error

firewall type unknow. Please see the screen shot.

Secondly when i did who on firewall i didnt see anybody connected. Firewall logging is also not showing that IPS IP address is block.

can anybody help me out in this matter.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: