Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
208
Views
4
Helpful
2
Replies

Help Configuring PIX as Blocking Device

admin_2
Level 3
Level 3

‎07-16-2003 12:09 PM - edited ‎02-20-2020 10:51 PM

Hi!

I have IDS sensors configured to use PIXs as blocking devices. Could anyone tell me how I can configure the firewalls to let the IDS sensors modify their access lists.

I'd appreciate if you would point me to any good documentation about the subject.

Regards,

Bercy

0 Helpful
2 Replies 2

marcabal
Cisco Employee
Cisco Employee

‎07-16-2003 12:26 PM

The Pix just needs to be configured to allow the sensor's IP address to telnet or ssh to the Pix.

The sensor needs to be configured to know the Pix's IP address, as well as the type of connection (telnet, or ssh) and the appropriate usernames and passwords to access the Pix.

The sensor will connect to the Pix and use a special "shun" command on the Pix. When using the Pix for blocking, the IDS does not create ACLs (like it does on the router) instead it executes the special "shun" command directly in the Pix's CLI. You can log into the Pix and use the "show shun" command to see what addresses that the sensor has blocked through the Pix's shun command.

If you are using tacacs to limit the commands available to the user ID provided for login from the IDS sensor then I recommend doing the following:

Configure the Pix to allow a telnet connection from the sensor to the Pix with a userid that doesn't have any command restrictions.

Configure the sensor to telnet (instead of ssh) to the Pix.

Use tcpdump or another sniffer program to monitor the traffic between the sensor and the Pix.

Have the sensor block a few ip addresses.

If you analyze the captured traffic you will what commmands the sensor is executing in the Pix CLI. These are the commands that tacacs would need to allow for the userid being used for the sensor.

Then I would suggest switching from telnet to ssh for encrypted communications and locking down the list of available commands through tacacs if you so desire.

NOTE: I don't believe there is a documented list of which commands the sensor uses on the Pix CLI so the tcpdump method is the best nethod to find out what they are.

Not applicable
In response to marcabal

‎07-16-2003 02:47 PM

hi!

Thanks for the quick response.

Now, I get the following error when I try to add a blocking device to my IDS sensor:

Error: errNotFound Net device references a shun device config record that does not exist. Attempted configuration update was rejected. [0,3]

Any idea why this error is generated?

The sensor knows the firewall's IP, the username, the enable password, and the remote access password. SSH is enabled on the firewall. I tried adding the firewall as a trusted host, but I get the error:

Error: socket connect failed [4,111]

Any help would be appreciated. Thanks!

Bercy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card