IPS box placing Customer Firewall into "Denied Attackers"

Kevin Melton · ‎11-13-2007

Recently we configured an IPS 4240 for our customer. We used two of the Interfaces and configured them as an "Inline Interface Pair" and put them between the customers Edge Network and their DMZ.

While letting the Engine run last week, each time the IPS would run OK for about 3 or 4 hours, then ineviteably the customers Internet connection would stop working. Upon inspection, each time I found that the IPS unit would place the Global PAT address off of the ASA into "denied attackers". All is well each time I clear the list.

Is there any way I can configure this so that it wont block the Global PAT adx of the Firewall?

Thanks

rhermes · ‎11-13-2007

You didn't mention what version software your running on your 4240 or if you use the CLI, IDM or CSM to configure.

Here's the CLI configration guides for all versions of sensor software

http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_guides_list.html

You want to look for "Configuring Addresses Never to Block". For 6.0 the CLI command is:

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)# general

sensor(config-net-gen)# never-block-networks 10.0.0.0/8

sensor(config-net-gen)# exit

sensor(config-net)# exit

Apply Changes:?[yes]:

Kevin Melton · ‎11-13-2007

Our IPS is a 4240 model. Version 6.0. I have been using IDM but obviously have used CLI to configure the inherent "allow" of the one IP of the Firewall.

Thanks for the answer.

Kevin Melton

CEO

KMNR Network Resources, Inc.