08-11-2010 11:44 PM - edited 03-10-2019 05:05 AM
Hello
I use an IDSM and I've been trying to get the blocking feature to work for some time now. The sensor is running only in promiscuous mode and my goal is to use our FWSM or the Cisco 7301 Internet facing router to block off attacks however I cannot get either option to work.
When trying to block using the 7301 I get
"Unable to execute a host block [xxx.xxx.xxx.xxx] on [xxx.xxx.xxx.xx] because no blocking interfaces are configured name=errSystemError"
My IDSM configuration for the device is
NetDevice
Type = Cisco
IP = xxx.xxx.xxx.xxx
NATAddr = 0.0.0.0
Communications = ssh-3des
ResponseCapabilities = block|rateLimit
BlockInterface
InterfaceName = GigabitEthernet0/2
InterfaceDirection = in
InterfacePreBlock = 100
InterfacePostBlock = 110
When trying the FWSM I get
errorMessage: firewall [xxx.xxx.xxx.xxx] can not perform this connection block : src ip [Public attacker IP] src port [2595] dest addr [masqueraded internal IP] dest port [80]. name=errSystemError
The special issue with the IDSM-FWSM is that I use VLAN capture to gather an entire VLAN transporting unencrypted data between our Co-Lo sites, my guess is that the IDSM OR the FWSM cannot understand which interface should be used with the shun.
Two different errors giving me the same problem, no blocking option. Anyone have any ideas?
Regards
Fredrik
08-16-2010 05:14 AM
Fredrik;
What versions of software is running on the involved devices (IDSM-2, FWSM, 7301)?
I note that the 7300 series is not currently listed as supported for blocking.
What is the full output of 'sh stat net' command issued from the IDSM-2 CLI?
The issue may be due to the nature that the shun command does not support connection or network blocking, but only host blocking. Also, per the user guide, blocking is not supported in multiple mode admin context. This is discussed here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_blocking.html#wp1058089
Scott
08-19-2010 03:36 AM
I have an apology to extend to those spending time on my issue. After a few hours trouble shooting I found the answer but forgot to post an update.
The problem was that the public keys under "known hosts" didn't match the target IPs anymore. I hadn't used blocking for a while and a few firewall failovers and a hardware change caused a mismatch. Bad thing is that the logging on the IDSMs couldn't show this.
Regards
Fredrik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide