Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
0
Helpful
1
Replies

IPS blocking problem

wasiimcisco
Level 1
Level 1

‎02-27-2008 02:58 PM - edited ‎03-10-2019 04:01 AM

Dear Marco ,

I am having a strange problem. Please help me out.

I made a TCP string base structure. Stringe is google. I configured the following Event actions for that signature.

Deny connection Inline

Request Block host

Produce Alert

Reset TCP COnnection

non blocking IP address is my Sensor IP addresses.

I have two internet routers connected with seperate ISP. Everything is working fine. In blocking devices I configured my second ISP router.So that when users who are using Internet of 2nd ISP browse Google. Their connection drop.

But as soon as I did this, Everything stop working. No browsing no internet connection at all. Even On Router A. Global IP of Router A even got block.

Before IPS block action i saw following access-list entries.

Router access-list is below

ip access-list extended IDS_GigabitEthernet0/1_in_0

permit ip host 172.28.92.50 any

permit ip any any

During

10 permit ip host 172.28.92.50 any (51 matches)

20 deny ip host x.x.188.38 any

30 deny ip host x.x.188.37 any

40 deny ip host x.x.188.39 any

50 permit ip any any (449 matches)

There is no pre and post acl configuration.No access-list is configured on router. Except the access-list that IPS will apply.

before this configuration I was assuming that whenever specific users who supposed to use 2nd Internet Router will be block when the try to open google.

But during blockage. Router in which IPS applied the access-list. I see in the access-list that router access-list that applied by the IPs

includes my all global IP addresses. Though these IP addressses are being used by router A for natting.

why it is so. How to solve this problem.

Labels:
0 Helpful
1 Reply 1

smahbub
Level 6
Level 6

‎03-04-2008 01:32 PM

Log into the Intrusion Detection Sensor (IDS) using the service account and Secure Shell (SSH) to the PIX Firewall. This process provides the ability to accept the host key.

Once this is done, a manual shun is performed successfully. There is output from the show shun command that corresponds to the manual shun event configured on the IDS. Refer to the IDS show stat net command output. The shun should be "State=Active".

For more information, refer to Module Installation and Configuration Guide.

http://www.cisco.com/en/US/docs/security/ips/4.0/installation/guide/hwchap4.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card