Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3464
Views
0
Helpful
4
Replies

Blacklisting and Whitelisting of IP

Jhun Banzuela
Level 1
Level 1

‎04-29-2014 09:03 PM - edited ‎03-10-2019 06:11 AM

Hi ,

 

Using ASA-5545 IPS and using IME to manage the IPS.

What is the best way and procedure to block and IP / IP range?

Also, how can we whitelist an IP?

 

Regards,

Jhun

Labels:
0 Helpful
4 Replies 4

Saurav Lodh
Level 7
Level 7

‎04-30-2014 05:22 AM

Please use the built in Shun command to block IP range

0 Helpful

clausonna
Level 3
Level 3

‎04-30-2014 08:15 AM

If you want to blacklist a large list of IP addresses (like the SpamHaus DROP list, or other known-malicious sites, for example) then create a custom IP signature in IME. 

Use the Atomic IP engine and specify the destination IP Address.  Use a variable for the list of IPs and in that variable you'll put your blocklist.

Whitelists are Event Action Overrides.  Just specify the IP and all of the sigs that you want it to be excluded from (including "all")

I have done a ton of work with blacklisting IP's in my 20+ IPS sensors.  I have written quite a few scripts to automate the update of the blacklist variables, but that uses Cisco Security Manager (CSM).  I looked at scripting this with EXPECT scripts but the CLI for the IPS sensors (plus the fact that I had 20 of them and was using CSM) made it too difficult.  If anyone else wants the scripts just let me know.  I think I've posted them before though.

 

 

0 Helpful

Jhun Banzuela
Level 1
Level 1
In response to clausonna

‎05-01-2014 07:12 PM

Thanks for the reply.

I will try your recommendation.

BTW, i tried to block an attacker IP from the Event Monitoring of IME.

1. Stop Attacker -> Using Inline Deny . It led me to time-based actions.

2. Then I enter the information . But after a few minutes. The entry was gone.

 

Was there a time limit for the rule to be taken effect? How to make it permanent?

 

Thanks.

0 Helpful

kaaftab
Level 4
Level 4

‎05-05-2014 07:51 AM

check the following link

http://www.cisco.com/c/en/us/support/docs/security/ips-4200-series-sensors/111001-shun-block-config-ex.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card