I`m running IDS 4235 with 4.1(3)S62 and a PIX with PixOS 6.3.3.
Both the sniffing and the management Interface of the IDS are on the inside network of PIX. PIX does no NAT (NAT 0) for all traffic
I configured IDS to use telnet to PIX. I can see IDS os logging into PIX but did not shun on traffic.
The signatures are triggered, cause I see the alarm on IEV.
If I do the same with IOS router , the shunning works fine. Also manual blocking to the PIX is working, only if You configure automatic shunning when a signature is triggered, IDS is just sending some space characters to PIX (verified via capture on PIX ).
Verify on the sensor (through IDM or the CLI) that the shun action was correctly set on the signatures.
When the signatures fire, there is a field in the alert itself that will be set to True if a shun was attempted for that alert. If the field is set to False or does not exist then the sensor didn't even attempt to shun for that alert.
Once you've verified the alert as the field for shun set to true, then look at the time on the field. No go to the sensor CLI and execute "show event nac
You will want to verify that the information in the fields match the information in your alarm.
Now check the Pix to see if any shuns were executed. You can use the "show shun" command on the Pix to see the list of currently shunned addresses.
SIDE NOTE: When you do the "show shun" and the list contains automated shuns, you will see not just the source ip address listed, but also the destination ip, source port, and destination port. Some users have been confused thinking that this meant it was a Connection Shun and not a source address host Shun. Even though the connection information is listed, it is Still a source address host shun. The additional connection information is just to let the Pix know to clear it's connection table for that connection As well as shun the source address.
Another thing to do is look for any errors that nac may be generating.
You can execute "show event error
Use a time and date of when your sensor was last rebooted and see if any of the errors are for NAC.
Also execute "show statistics nac" and verify that shun enable has been set to true, and that the automatic shuns are showing up in the shun list.
A last thing to try is to login to the sensor using the account with the "service" privalege. This will get you access to the underlying Linux OS. From the "service" account you will switch to user root. As user root run the "ifconfig -a" command to determine which interface is your command and control interface. Now you can use the tcpdump command to monitor packets on your command and control interface between the sensor and the Pix.
Look for any errors the Pix may be generating, and verify if the sensor is sending the shun commands to the Pix.
For more information on running tcpdump you can refer to:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :