Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IPS box placing Customer Firewall into "Denied Attackers"

Recently we configured an IPS 4240 for our customer. We used two of the Interfaces and configured them as an "Inline Interface Pair" and put them between the customers Edge Network and their DMZ.

While letting the Engine run last week, each time the IPS would run OK for about 3 or 4 hours, then ineviteably the customers Internet connection would stop working. Upon inspection, each time I found that the IPS unit would place the Global PAT address off of the ASA into "denied attackers". All is well each time I clear the list.

Is there any way I can configure this so that it wont block the Global PAT adx of the Firewall?



Re: IPS box placing Customer Firewall into "Denied Attackers"

You didn't mention what version software your running on your 4240 or if you use the CLI, IDM or CSM to configure.

Here's the CLI configration guides for all versions of sensor software

You want to look for "Configuring Addresses Never to Block". For 6.0 the CLI command is:

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)# general

sensor(config-net-gen)# never-block-networks

sensor(config-net-gen)# exit

sensor(config-net)# exit

Apply Changes:?[yes]:

New Member

Re: IPS box placing Customer Firewall into "Denied Attackers"

Our IPS is a 4240 model. Version 6.0. I have been using IDM but obviously have used CLI to configure the inherent "allow" of the one IP of the Firewall.

Thanks for the answer.

Kevin Melton


KMNR Network Resources, Inc.

CreatePlease to create content