Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1226
Views
0
Helpful
2
Replies

Problems with blocking

avanzaadmin
Level 1
Level 1

‎08-11-2010 11:44 PM - edited ‎03-10-2019 05:05 AM

Hello

I use an IDSM and I've been trying to get the blocking feature to work for some time now. The sensor is running only in promiscuous mode and my goal is to use our FWSM or the Cisco 7301 Internet facing router to block off attacks however I cannot get either option to work.

When trying to block using the 7301 I get

"Unable to execute a host block [xxx.xxx.xxx.xxx] on [xxx.xxx.xxx.xx] because no blocking interfaces are configured  name=errSystemError"

My IDSM configuration for the device is

  NetDevice

      Type = Cisco

      IP = xxx.xxx.xxx.xxx

      NATAddr = 0.0.0.0

      Communications = ssh-3des

      ResponseCapabilities = block|rateLimit

      BlockInterface

         InterfaceName = GigabitEthernet0/2

         InterfaceDirection = in

         InterfacePreBlock = 100

         InterfacePostBlock = 110

When trying the FWSM I get

  errorMessage: firewall [xxx.xxx.xxx.xxx] can not perform this connection block : src ip [Public attacker IP] src port [2595] dest addr [masqueraded internal IP] dest port [80].  name=errSystemError 

The special issue with the IDSM-FWSM is that I use VLAN capture to gather an entire VLAN transporting unencrypted data between our Co-Lo sites, my guess is that the IDSM OR the FWSM cannot understand which interface should be used with the shun.

Two different errors giving me the same problem, no blocking option. Anyone have any ideas?

Regards

Fredrik

Labels:
0 Helpful
2 Replies 2

Scott Fringer
Cisco Employee
Cisco Employee

‎08-16-2010 05:14 AM

Fredrik;

  What versions of software is running on the involved devices (IDSM-2, FWSM, 7301)?

  I note that the 7300 series is not currently listed as supported for blocking.

  What is the full output of 'sh stat net' command issued from the IDSM-2 CLI?

  The issue may be due to the nature that the shun command does not support connection or network blocking, but only host blocking.  Also, per the user guide, blocking is not supported in multiple mode admin context.  This is discussed here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_blocking.html#wp1058089

Scott

0 Helpful

avanzaadmin
Level 1
Level 1
In response to Scott Fringer

‎08-19-2010 03:36 AM

I have an apology to extend to those spending time on my issue. After a few hours trouble shooting I found the answer but forgot to post an update.

The problem was that the public keys under "known hosts" didn't match the target IPs anymore. I hadn't used blocking for a while and a few firewall failovers and a hardware change caused a mismatch. Bad thing is that the logging on the IDSMs couldn't show this.

Regards

Fredrik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card