Problems with blocking

Unanswered Question
Aug 11th, 2010
User Badges:

Hello

I use an IDSM and I've been trying to get the blocking feature to work for some time now. The sensor is running only in promiscuous mode and my goal is to use our FWSM or the Cisco 7301 Internet facing router to block off attacks however I cannot get either option to work.


When trying to block using the 7301 I get

"Unable to execute a host block [xxx.xxx.xxx.xxx] on [xxx.xxx.xxx.xx] because no blocking interfaces are configured  name=errSystemError"


My IDSM configuration for the device is

  NetDevice

      Type = Cisco

      IP = xxx.xxx.xxx.xxx

      NATAddr = 0.0.0.0

      Communications = ssh-3des

      ResponseCapabilities = block|rateLimit

      BlockInterface

         InterfaceName = GigabitEthernet0/2

         InterfaceDirection = in

         InterfacePreBlock = 100

         InterfacePostBlock = 110


When trying the FWSM I get

  errorMessage: firewall [xxx.xxx.xxx.xxx] can not perform this connection block : src ip [Public attacker IP] src port [2595] dest addr [masqueraded internal IP] dest port [80].  name=errSystemError 

The special issue with the IDSM-FWSM is that I use VLAN capture to gather an entire VLAN transporting unencrypted data between our Co-Lo sites, my guess is that the IDSM OR the FWSM cannot understand which interface should be used with the shun.


Two different errors giving me the same problem, no blocking option. Anyone have any ideas?


Regards

Fredrik

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fringer Mon, 08/16/2010 - 05:14
User Badges:
  • Cisco Employee,

Fredrik;


  What versions of software is running on the involved devices (IDSM-2, FWSM, 7301)?


  I note that the 7300 series is not currently listed as supported for blocking.


  What is the full output of 'sh stat net' command issued from the IDSM-2 CLI?


  The issue may be due to the nature that the shun command does not support connection or network blocking, but only host blocking.  Also, per the user guide, blocking is not supported in multiple mode admin context.  This is discussed here:


http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_blocking.html#wp1058089


Scott

avanzaadmin Thu, 08/19/2010 - 03:36
User Badges:

I have an apology to extend to those spending time on my issue. After a few hours trouble shooting I found the answer but forgot to post an update.

The problem was that the public keys under "known hosts" didn't match the target IPs anymore. I hadn't used blocking for a while and a few firewall failovers and a hardware change caused a mismatch. Bad thing is that the logging on the IDSMs couldn't show this.


Regards

Fredrik

Actions

This Discussion