Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dynamically changing ACLs


I've got a question concerning the IPS module.

How is it possible for the IPS to dynamically change any of the existing ACLs on the firewall module in case of an attack e.g.?

The reason i ask is, because there seems no possibilty for me to script any commands on a linux pc and then execute them remotely on the FWSM like i can do it on a Router via rsh.

So if a user can't execute any command remotely on the FWSM, how can the IPS do it when it has to change an ACL on the FWSM?



Re: Dynamically changing ACLs

An IPS sensor will log into a FWSM and put in and take down host blocks when it shuns a host. If you set the IPS to telnet for it's connection to the FWSM, you can capture the session (Ethereal has a wonderful "follow TCP session" for seeing this) and see the exact commands and logic employed. There is no reason you can not script a telnet or ssh session from your linux host to change host blocks. However, if you have more than one device doing this, you can get into some problems. The IPS sensor assumes it is the only blocking device and will clear all blocks that it didn't create.

Re: Dynamically changing ACLs

HI .. the IPS actually connects to the FWSM by telnet or ssh and drops in the shun command on its configuration ..

You should be able to do the same using a scripting tool.

NOTE: the IPS DOES NOT modify the ACLs but adds a shun command

I hope it helps .. please rate it if it does !!