Kings, Take a look through the IPexpert Lab3 detailed solution guide if you have it for the IPS sections. It covers both ASA and IOS blocking devices and includes rate limiting also.
Basically either algorithm should work. Where are you testing the SSH from? Double check your logs on the ASA to make sure that the IPS is not being denied. Let me know if you still have issues? Stu 2009/12/1 Kingsley Charles <[email protected]> > Hi Stu > > Even I am facing the issue, where the shun is not initiated on the ASA. The > events O/P informs that the ASA is unreachable. > > But I am able to ping and ssh to the ASA. > > BTW, what is algorithm that you are using for SSH in the profile - DES or > 3DES? > > > With regards > Kings > > On Mon, Nov 30, 2009 at 6:04 PM, Stuart Hare > <[email protected]>wrote: > >> Kings, >> >> Yes the IPS will try and apply the block or rate limit to all the blocking >> devices it manages. >> I have only really seen an issue like this when blocking to both IOS and >> ASA devices. >> Double check that all the devices can be managed by the IPS, and that your >> blocking device profiles are correct. >> >> Stu >> >> 2009/11/30 Kingsley Charles <[email protected]> >> >>> Hi Stuart >>> >>> I am just trying to trigger a request block host and rate limit. >>> >>> The request block host is working and I see that the sesnor is >>> configuring ACLs on the router (blocking device). >>> >>> If there are four blocking devices (routers) defined in the list, will >>> the ACL be configured by the sensor on all the four devices interfaces when >>> the signature is triggered? >>> >>> >>> >>> >>> >>> With regards >>> Kings >>> >>> On Mon, Nov 30, 2009 at 1:48 PM, Stuart Hare < >>> [email protected]> wrote: >>> >>>> Kings, >>>> >>>> Do you have a specific issue? If so can you explain further? >>>> >>>> Generally if you are having trouble with this its always a good idea to >>>> check the logs of the blocking device itself, its more likely to give you >>>> more info as to whether the IPS can log in or why the block was failing. >>>> >>>> If you are doing requests to both ASA and IOS device using the sensor, >>>> you typically will need to ignore the alerts for the ASA, when and IOS >>>> event >>>> is triggered, as it will only support the block host / shun requests, hence >>>> the possible failures. >>>> It would be good to supress these but I never managed to find a way. >>>> >>>> Stu >>>> 2009/11/30 Kingsley Charles <[email protected]> >>>> >>>> Hi Stuart >>>>> >>>>> That's true, same here. I am not able to verify the functionality of >>>>> request host block/rate limit because always I see login failure issues. >>>>> >>>>> I suceeded just once or twice. >>>>> >>>>> >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> On Mon, Nov 30, 2009 at 12:03 PM, Stuart Hare < >>>>> [email protected]> wrote: >>>>> >>>>>> Kings >>>>>> >>>>>> I found this a little frustrating myself especially considering when >>>>>> you have asa as a blocking device, you get a lot of failure messages in >>>>>> the >>>>>> log due to certain methods being unsupported. Unfortunately I couldn't >>>>>> find >>>>>> a way to bypass this for certain devices. Not sure whether this has >>>>>> changed >>>>>> in the latest code though. >>>>>> >>>>>> Stu >>>>>> >>>>>> Sent from my iPhone >>>>>> >>>>>> >>>>>> On 30 Nov 2009, at 05:57, Kingsley Charles < >>>>>> [email protected]> wrote: >>>>>> >>>>>> Hi all >>>>>>> >>>>>>> We can configure the sesnor to "Request block host"and "Request Rate >>>>>>> limit." If these actions are configured for the signatures and the >>>>>>> signatures are triggered, request is sent to >>>>>>> routers/switches that are present in the blocking devcies list. >>>>>>> >>>>>>> >>>>>>> My understanding is that the request is sent to all the devices in >>>>>>> the blocking device list. >>>>>>> >>>>>>> In that case, the block request or rate limit will be also sent to >>>>>>> devices that are not relevent to the attack. >>>>>>> >>>>>>> Is there any way where we can tie the blocking request or rate limit >>>>>>> request triggered by signature to specific hosts or subset of hosts in >>>>>>> the >>>>>>> blocking device list defined in the sensor. >>>>>>> >>>>>>> >>>>>>> >>>>>>> With regards >>>>>>> Kingsley Charles >>>>>>> _______________________________________________ >>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>> please visit www.ipexpert.com >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
