11-13-2007 07:36 AM - edited 03-10-2019 03:52 AM
Recently we configured an IPS 4240 for our customer. We used two of the Interfaces and configured them as an "Inline Interface Pair" and put them between the customers Edge Network and their DMZ.
While letting the Engine run last week, each time the IPS would run OK for about 3 or 4 hours, then ineviteably the customers Internet connection would stop working. Upon inspection, each time I found that the IPS unit would place the Global PAT address off of the ASA into "denied attackers". All is well each time I clear the list.
Is there any way I can configure this so that it wont block the Global PAT adx of the Firewall?
Thanks
11-13-2007 09:42 AM
You didn't mention what version software your running on your 4240 or if you use the CLI, IDM or CSM to configure.
Here's the CLI configration guides for all versions of sensor software
You want to look for "Configuring Addresses Never to Block". For 6.0 the CLI command is:
sensor# configure terminal
sensor(config)# service network-access
sensor(config-net)# general
sensor(config-net-gen)# never-block-networks 10.0.0.0/8
sensor(config-net-gen)# exit
sensor(config-net)# exit
Apply Changes:?[yes]:
11-13-2007 11:15 AM
Our IPS is a 4240 model. Version 6.0. I have been using IDM but obviously have used CLI to configure the inherent "allow" of the one IP of the Firewall.
Thanks for the answer.
Kevin Melton
CEO
KMNR Network Resources, Inc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide