Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1643
Views
0
Helpful
5
Replies

ISE version 1.3 and static route not working

cciesec2011
Level 3
Level 3

‎11-03-2014 06:17 PM - edited ‎03-12-2019 05:43 PM

This command works without any issues with ISE version 1.1 and 1.2:

ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1

 

However, it does NOT work in ISE version 1.3.  See below:

ciscoisedev/admin(config)# ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
% Warning: Could not find outgoing interface for gateway 127.0.0.1 while trying to add the route.

% Error: Error adding static route.
ciscoisedev/admin(config)#

 

Any ideas anyone?

 

Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎11-04-2014 12:19 AM

This might be a dumb question as I have never seen this done before but what exactly are you trying to accomplish and why do you need a static route that points to the local host? :)

0 Helpful

cciesec2011
Level 3
Level 3
In response to nspasov

‎11-04-2014 02:26 AM

I guess you are not very familiar with Unix/Linux :-)

 

This static route will essentially null route traffics from 192.168.1.1

 

On Cisco IOS router, you have "ip route 192.168.1.1 255.255.255.255 null0"

 

On regular Linux system:  ip route add blackhole 192.168.1.1

 

In other words, I do NOT want host 192.168.1.1 to be connected to the ISE

 

After all, ISE is based on CentOS linux right?

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to cciesec2011

‎11-04-2014 09:30 AM

Yep, totally a Cisco guy and know enough in Linux to break things :) Now it makes sense what you are trying to do. You are basically killing the traffic sourced from ISE and going to 192.168.1.1. I just tested this on my ISE box (1.2) and it is indeed a valid option that appears to have been removed in 1.3

Yes, ISE is based on ADE-OS

Now, let me ask you one more question. Are you trying to restrict reachability to the ISE Admin GUI or the the stripped down version of the Unix shell? Or both?

0 Helpful

cciesec2011
Level 3
Level 3
In response to nspasov

‎11-04-2014 10:02 AM

both.  I want to prevent the host 192.168.1.1 to communicate with the ISE.

In other words, I want to do the same thing like IOS router "null" route.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to cciesec2011

‎11-04-2014 10:27 AM

So it appears that there is no option to lock down access to the shell now that the command that you used to use is no longer valid. What is worse is that there isn't an option to create an ACL in the shell that you could attach to the interface. So I would recommend that you create a defect with Cisco TAC and get this re-added or request that ACL functionality is added. 

For the GUI (in case you were not already aware of this), you can restrict access from Administration > Admin Access > Settings > Access > IP Access

 

0 Helpful
Customers Also Viewed These Support Documents