I have a 4215 that I have setup inline. In addition, I have given it the ability to use a PIX to block hosts. When the sensor tries to login to the PIX, it triggers the "multiple rapid ssh connections" signature and adds the sensors IP address to the "Denied Attackers" list. This happens even though the checkbox for "allow the sensor ip address to be blockes" is unchecked AND the IP address of the sensor is in the "Never block" list.
The sensor is running the latest 5.0(4) and the latest signature.
Do I ALSO have to create an event filter for this?
Does the login to the PIX fail due to some other reason (SSH keys not transferred offline, incorrect login credentials, etc). The only reason the IPS would try and login multiple times is if the login fails, so if you fix that that should resolve the problem.
On the sensor run the following command to ensure that the PIX's public key is added and trusted to the IPS:
You should see the fingerprint displayed, then as long as you have set up the login credentials correctly on the sensor then it should be able to login fine (and only once).
I've discovered through experimentation that blocking has nothing to do with the inline dropping of packets. So even if you put something on the "never block" list, you also have to create exceptions to the signatures which drop packets inline...
This is some frustrating and cumbersome equipment they have developed... I'll be looking at MARS next week, maybe that will change my mind... But we're probably not allowed to complain here.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...