SSM IPS blocking via ASA

Answered Question
Mar 20th, 2008

I have set up my ASA asa a blocking device in my ssm10. That part works fine. The problem is I had defined local networks in the "Never block Addresses" configuration box. Before long, the ASA had in fact shunned an address which was part of that "never block addresses" configuration. Does this configuration work when using ASA, or does it only work for IOS?

If it doesn't work, is the alternative to write an Event Action Filter to subtract the Block Host action?

I have this problem too.
0 votes
Correct Answer by marcabal about 8 years 8 months ago

When posting please include the software versions you are using.

There is a known bug in 5.1(7) and earlier where the Never Block is not preventing blocks for Addresses that are within a Network address in the Never Block list.

CSCeh83037

However, this issue was fixed in the 6.0 before 6.0(1) was released.

So if running 5.1 then you are likely hitting this known issue.

But if running 6.0 this may be a new issue.

And as you've stated using an Event Action Filter to prevent the block request in the first place for those addresses is a good workaround. This workaround is also listed in the release notes for that bug mentioned above.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
marcabal Thu, 03/20/2008 - 11:55

When posting please include the software versions you are using.

There is a known bug in 5.1(7) and earlier where the Never Block is not preventing blocks for Addresses that are within a Network address in the Never Block list.

CSCeh83037

However, this issue was fixed in the 6.0 before 6.0(1) was released.

So if running 5.1 then you are likely hitting this known issue.

But if running 6.0 this may be a new issue.

And as you've stated using an Event Action Filter to prevent the block request in the first place for those addresses is a good workaround. This workaround is also listed in the release notes for that bug mentioned above.

acomiskey Thu, 03/20/2008 - 12:56

Cisco Intrusion Prevention System, Version 6.0(1)E1

I put in the action filter and it seems to be ok for now.

Thanks for the help.

Actions

This Discussion