10-09-2013 03:51 AM - edited 03-10-2019 06:04 AM
Hi,
I'm trying to configure remote blocking on one router interface. I added: ‘device login profile’, ‘blocking device’ and ‘router blocking device interfaces’. I see the IPS established connection with the router:
Extended IP access list IDS_FastEthernet0/1_in_0
10 permit ip host 10.0.10.15 any
20 permit ip any any (311041 matches)
And then I tried ping/udp flood and no one from these attacks are seeing under Monitor->Events (I enabled ‘show attack response controller events’).
When the traffic is going through IPS everything is logged properly; the problem is only with remote device (ARC). Are there any requirements which I missed?
Rack1IPS# show statistics network-access
Current Configuration
LogAllBlockEventsAndSensors = true
EnableNvramWrite = false
EnableAclLogging = false
AllowSensorBlock = false
BlockMaxEntries = 250
MaxDeviceInterfaces = 250
NetDevice
Type = Cisco
IP = 150.50.0.1
NATAddr = 0.0.0.0
Communications = telnet
ResponseCapabilities = block
BlockInterface
InterfaceName = FastEthernet0/1
InterfaceDirection = in
InterfacePostBlock = POST-ACL
State
BlockEnable = true
NetDevice
IP = 150.50.0.1
AclSupport = uses Named ACLs
Version = 0
State = Inactive
Rack1IPS#
I tried also with post-acl but the results is the same.
Regards
Hubert
10-09-2013 10:00 PM
Hello Hubert,
Have you enable the following actions on the signatures you are trying to fire
Request block host
or
Request block connection
?
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
10-16-2013 12:57 PM
Hello Julio,
yes, I defiened these actions and I added 'log' to see the traffic, but no luck.
Thanks
Hubert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: