I use an IDSM and I've been trying to get the blocking feature to work for some time now. The sensor is running only in promiscuous mode and my goal is to use our FWSM or the Cisco 7301 Internet facing router to block off attacks however I cannot get either option to work.
When trying to block using the 7301 I get
"Unable to execute a host block [xxx.xxx.xxx.xxx] on [xxx.xxx.xxx.xx] because no blocking interfaces are configured name=errSystemError"
My IDSM configuration for the device is
Type = Cisco
IP = xxx.xxx.xxx.xxx
NATAddr = 0.0.0.0
Communications = ssh-3des
ResponseCapabilities = block|rateLimit
InterfaceName = GigabitEthernet0/2
InterfaceDirection = in
InterfacePreBlock = 100
InterfacePostBlock = 110
When trying the FWSM I get
errorMessage: firewall [xxx.xxx.xxx.xxx] can not perform this connection block : src ip [Public attacker IP] src port  dest addr [masqueraded internal IP] dest port . name=errSystemError
The special issue with the IDSM-FWSM is that I use VLAN capture to gather an entire VLAN transporting unencrypted data between our Co-Lo sites, my guess is that the IDSM OR the FWSM cannot understand which interface should be used with the shun.
Two different errors giving me the same problem, no blocking option. Anyone have any ideas?
What versions of software is running on the involved devices (IDSM-2, FWSM, 7301)?
I note that the 7300 series is not currently listed as supported for blocking.
What is the full output of 'sh stat net' command issued from the IDSM-2 CLI?
The issue may be due to the nature that the shun command does not support connection or network blocking, but only host blocking. Also, per the user guide, blocking is not supported in multiple mode admin context. This is discussed here:
I have an apology to extend to those spending time on my issue. After a few hours trouble shooting I found the answer but forgot to post an update.
The problem was that the public keys under "known hosts" didn't match the target IPs anymore. I hadn't used blocking for a while and a few firewall failovers and a hardware change caused a mismatch. Bad thing is that the logging on the IDSMs couldn't show this.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :