RE: PIX shun with IPS

From: Mark Snow (mark@ipexpert.com)
Date: Sun Apr 08 2007 - 14:00:22 ART

• Next message: Darby Weaver: "RE: OT-Partner Certification"
• Previous message: Josef A: "Re: removing null route from bgp aggregate command"
• Maybe in reply to: Edward Norton: "PIX shun with IPS"
• Next in thread: Edouard Zorrilla: "Re: PIX shun with IPS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Do you get the same results if you try to initiate the shun with a telnet
session from the IPS?

Can you try that and see what happens?
Also make sure that the IPS is not able to be blocked (default).

 
Mark Snow
Senior Technical Instructor - IPexpert, Inc.
CCIE #14073 (Voice, Security)
URL: http://www.IPexpert.com
Toll Free: +1.866.225.8064
International: +1.810.326.1444

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Edward Norton
Sent: Sunday, April 08, 2007 10:36 AM
To: ccielab@groupstudy.com; security@groupstudy.com
Subject: PIX shun with IPS

Folks ;
  im trying to test how the IDS can shun the PIX , i checked the previous
posts but did not find an answer
   
  I have 4215 working as IDS , i tested it with blocking to router and it
worked fine ..however when i try to do the same with PIX , it does not seem
to work .
   
  it looks to me that the IPS sensor is not able to to ssh to the pix , the
IDS CC interface and the inside of the pix on the same subnet , I am able to
ssh to the pix from software client normally ..and the IDS is able to
retrieve the RSA key normally .
   
  however when i enabled the debug on the PIX , the TCP session from the cc
interface gets terminated ..not sure why
   
  I am using IPS v5.1 and pix 7.2 ....any comments will be appreciated
   
   
   
   
   0x00FFE27A
%PIX-6-315011: SSH session from 10.1.1.4 on interface inside for user ""
disconn
ected by SSH server, reason: "TCP connection closed" (0x03)
%PIX-6-302014: Teardown TCP connection 155 for inside:10.1.1.4/32873 to NP
Ident
ity Ifc:10.1.1.254/22 duration 0:00:04 bytes 263 TCP FINs
   
  SSH0: TCP read failed, error code = 0x86300003 "TCP connection closed"
SSH0: receive SSH message: [no message ID: variable *data is NULL]
SSH0: Session disconnected by SSH server - error 0x03 "TCP connection
closed"
   
   

 
---------------------------------
8:00? 8:25? 8:40? Find a flick in no time
 with theYahoo! Search movie showtime shortcut.

• Next message: Darby Weaver: "RE: OT-Partner Certification"
• Previous message: Josef A: "Re: removing null route from bgp aggregate command"
• Maybe in reply to: Edward Norton: "PIX shun with IPS"
• Next in thread: Edouard Zorrilla: "Re: PIX shun with IPS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART