I think this should be pretty straight forward, but am having am impossible time getting blocking to work. I have an IPS 4240 with software version 6 and have configured many login profiles to try to get my ASA to shun a host triggering a signature using the host block option. Setup is host -> switch -> IPS spanning uplink port -> router -> ASA -> Internet
I've tried manually adding the block on the host and while it appears in the active host blocks monitoring section, the host is still able to reach anywhere on the Internet. I also see an ARC event stating wrong username/password combination. Seems like a simple fix, but I'm fairly sure I'm putting the correct username and password in. I've retrieved the ssh key from the ASA while on the IPS and have tried using telnet also. I've enabled any host on my LAN to telnet to the PIX in effort to troubleshoot, but it's not working either. I'm using Cisco ACS with my ASA, and have tried domain\username and firstname.lastname@example.org and just plain username, but none work.
We've had Shunning between a 5.x sensor and ASA working. To trouble shoot, use Telnet between the sensor and the ASA. Then sniff the traffic using Ethereal/Wireshark. Follow the TCP session to watch the commands between the two, this should show you where things are going wrong.
i've not been able to use the telnet or ssh command from the cli on the sensor, and don't see that option from the gui either. I've tried twic sniffing traffic from the inside interface of my asa during a test attempt to trigger the block and found only acks, and some data containing the message banner, username and password. The username and password looked to both have unusual spaces between them, but I'm not sure if that's just how ethereal displays the contents or not. I'm definately able to telnet to my asa from my desktop using my domain creds and cisco acs. Event Viewer logs from the IPS continue to read
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :