cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
687
Views
0
Helpful
2
Replies

Attack Response Controller

hubertzw
Level 1
Level 1

Hi,

I'm trying to configure remote blocking on one router interface. I added: ‘device login profile’, ‘blocking device’ and ‘router blocking device interfaces’. I see the IPS established connection with the router:

Extended IP access list IDS_FastEthernet0/1_in_0

    10 permit ip host 10.0.10.15 any

    20 permit ip any any (311041 matches)

And then I tried ping/udp flood and no one from these attacks are seeing under  Monitor->Events (I enabled ‘show attack response controller events’).

When the traffic is going through IPS everything is logged properly; the problem is only with remote device (ARC). Are there any requirements which I missed?

Rack1IPS# show statistics network-access

Current Configuration

   LogAllBlockEventsAndSensors = true

   EnableNvramWrite = false

   EnableAclLogging = false

   AllowSensorBlock = false

   BlockMaxEntries = 250

   MaxDeviceInterfaces = 250

   NetDevice

      Type = Cisco

      IP = 150.50.0.1

      NATAddr = 0.0.0.0

      Communications = telnet

      ResponseCapabilities = block

      BlockInterface

         InterfaceName = FastEthernet0/1

         InterfaceDirection = in

         InterfacePostBlock = POST-ACL

State

   BlockEnable = true

   NetDevice

      IP = 150.50.0.1

      AclSupport = uses Named ACLs

      Version = 0

      State = Inactive

Rack1IPS#

I tried also with post-acl but the results is the same.

Regards

Hubert

2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Hubert,

Have you enable the following actions on the signatures you are trying to fire

     Request block host

or

     Request block connection

?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

yes, I defiened these actions and I added 'log' to see the traffic, but no luck.

Thanks

Hubert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: