08-31-2004 10:59 AM - edited 02-20-2020 09:25 PM
I have an IDS 4210 which controls a 2610 Router with two serial interfaces. I have a pre and a post access list for each. With no access-list applied to either interface I enable blocking and the access-list are created on each interface. All is well until I reboot the router or the IDS, when they come online the access-list will have only one entry for the IP Permit Address. To solve this issue I disable blocking on the IDS, remove the access-list from the interface and delete the access-list created by the IDS. I then enable blocking and everything works fine. Is this normal? Thanks, H
09-07-2004 10:37 AM
Not usually.
It sounds like something is not happening correctly.
When the IDS creates a new ACL it also does a write mem so if the router reboots it shoudl come back up with the same access lists that were last written by the sensor.
We have seen cases where the write mem on the router was generating errors (seen when the ACLs were too large to be saved properly, or when other users were also making changes on the router). In which case the router may be rebooted and come up with invalid config.
The other possibility is that the sensor is not using the correct permit line in the first ACL entry. The first permit line should permit the sensor itself to access the router.
If there is no NATing between the sensor and router then the sensor shoudl eb permitting the actual sensor ip address.
If on the other hand there is NATing between the sensor and router then the sensor will need to permit this NAT address. To do this the user has to tell the sensor what it's NAT address will be when connecting to that router.
Some users have confused that NAT field above with the NATing being done by the router itself.
This NAT field is NOT the NAT address being used by the router, but is INSTEAD the NAT address being used by a router or firewall between the sensor and router.
If the wrong address is being entered into this NAT field, it is possible that the first line of the ACL that permits only the NAT address maybe unexpectedly denying the sensor's address and preventing the sensor from continuing it's connection to the router.
Marco
09-07-2004 01:36 PM
You can IDM to check for errors. Go to Monitoring/events. Set it up to see all errors for past hour.....look for any error messages from Nac...
make sure there are not 2 devices managing the same router. (Marco mentions this above). The ip address should be the one for your 4210.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide