Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

shunHost Not Workin w/PIX

IDS 4210 Version 4.0(2)S47

PIX 515UR v6.2(2)

I have several signatures configured to shunHost but the shun is not working on the PIX. Worked fine before upgrading to 4.0

I've re-configured in IDM for the PIX to be the Blocking Device using ssh-des.

When I do a sh shun st on the PIX, I do not see any shuns after recent attacks.

Perhaps I've got ssh-des configured wrong.

Any suggestions on where to start troubleshooting?

Thanks,

Tony

3 REPLIES
Cisco Employee

Re: shunHost Not Workin w/PIX

Verify that you have accepted the Pix's SSH server key on the sensor:

Go to configure terminal and execute the "ssh host-key" command for your Pix ip address. The sensor will connect to the Pix and prompt you to accept the key.

Verify that you have configured network access service correctly:

Execute "show conf" and verify that "ssh-des" is configured as the communication protocol for your Pix. Also verify that you have a "shun-device-cfg" specified for your Pix. (Note: this has caused some confusion since the "shun-device-cfg" must first be defined with the username and passwords directly under the service networkacess command, and then again referenced when configuring the specific Pix device.)

Check the rest of the network access configuration like usernames and passwords, and ip addresses are correct.

Check "show statistics networkaccess"

This will let you know the current state of NAC (network access controller).

Additionally you can run "show events error" and provide a date and time from when the sensor was laster rebooted. Then look for any errors that NAC may be reporting.

New Member

Re: shunHost Not Workin w/PIX

Settings look good except for one. In the IDS under 'sh statistics networkaccess', I see STATE>NET DEVICE with the IP of the PIX. Below that I see STATE=INACTIVE.

"INACTIVE" doesn't sound good but I can't see any way to "activate" the device.

Also, I see the shuns being added in the IDS when I look at the NetworkAccess statistics. I see shuns and their time remaining. However, I do not see these in the PIX. So, obviously there's a comm problems.

All passwords and IPs are correct in NetworkAccess.

Tony

New Member

Re: shunHost Not Workin w/PIX

It's working now.... On the IDS, in shun-device-cfg, I had the 'username' for the PIX entered in capital letters and it's not that way in the PIX for ssh sessions.

I changed it and it's working now.

Tony

105
Views
0
Helpful
3
Replies
CreatePlease to create content