IPS box placing Customer Firewall into "Denied Attackers"

Unanswered Question
Nov 13th, 2007

Recently we configured an IPS 4240 for our customer. We used two of the Interfaces and configured them as an "Inline Interface Pair" and put them between the customers Edge Network and their DMZ.

While letting the Engine run last week, each time the IPS would run OK for about 3 or 4 hours, then ineviteably the customers Internet connection would stop working. Upon inspection, each time I found that the IPS unit would place the Global PAT address off of the ASA into "denied attackers". All is well each time I clear the list.

Is there any way I can configure this so that it wont block the Global PAT adx of the Firewall?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rhermes Tue, 11/13/2007 - 09:42

You didn't mention what version software your running on your 4240 or if you use the CLI, IDM or CSM to configure.

Here's the CLI configration guides for all versions of sensor software


You want to look for "Configuring Addresses Never to Block". For 6.0 the CLI command is:

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)# general

sensor(config-net-gen)# never-block-networks

sensor(config-net-gen)# exit

sensor(config-net)# exit

Apply Changes:?[yes]:

Kevin Melton Tue, 11/13/2007 - 11:15

Our IPS is a 4240 model. Version 6.0. I have been using IDM but obviously have used CLI to configure the inherent "allow" of the one IP of the Firewall.

Thanks for the answer.

Kevin Melton


KMNR Network Resources, Inc.


This Discussion