Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Blocking

I have a 4215 with its monitoring interface plugged in to a hub, which is connected to the dmz interface, and the hub then uplinks to a switch to extend the amount of ports available on the DMZ. I have configured a signature to perform blocking, but when it tries to telnet to the PIX to perfrom the shun, the ACL prohibits the connection. I get a syslog message:

Aug 18 2006 10:31:12: %PIX-3-710003: TCP access denied by ACL from 10.4.0.3/34986 to inside:10.4.0.2/23

Those addresses are the inside addresses of the IPS and the PIX. I think the "ACL" is the default ACL since I don't have any access lists configured on the PIXs inside interface. I tried using NAT to correct this so that maybe the access list I have configured on the DMZ could be adjusted, but so far no luck. I don't want to configure an access list on the inside. I want to stick with the default ACL there. Does anyone have any ideas?

thank you,

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Blocking

Sounds like the pix isn't config'd to allow telnet from the IPS.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ae.html#wp1025921

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#wp1058145

Been a while since I've poked at the pix, but I think that you might not have explicitly allowed the IPS telnet access to it. I know these are links to 6.x commands, but I believe that pix 7.x is similar in cli structure.

Hope that helps.

2 REPLIES
Silver

Re: Blocking

You likely need to allow telnet access from the sensor to the PIX inside interface (assumming the sensor's command and control interface is on the inside). The command to execute on the PIX is below:

telnet 10.4.0.3 255.255.255.255 inside

I would recommend you use SSH, though. To setup SSH, you would have to enable SSH on the firewall from the sensor. Then, download the PIX's key to the sensor (there is a quick tool in IDM for this).

Here's the command to enable SSH on the PIX from the sensor..

ssh 10.4.0.3 255.255.255.255 inside

Please rate me if this helps. Thanks.

Cisco Employee

Re: Blocking

Sounds like the pix isn't config'd to allow telnet from the IPS.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ae.html#wp1025921

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#wp1058145

Been a while since I've poked at the pix, but I think that you might not have explicitly allowed the IPS telnet access to it. I know these are links to 6.x commands, but I believe that pix 7.x is similar in cli structure.

Hope that helps.

130
Views
5
Helpful
2
Replies
CreatePlease to create content