Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restricting Access from IPS


I have a server with external and internal IP address. I want to restrict the access to this server. I have 5 IP addresses that should have access to this server. Is there a way I can restrict the access from IPS or this can only be done with access-list on firewall.

Thanks for the help.


Re: Restricting Access from IPS

You don't say what kind of host this is, but most newer OS's have host-based firewalls that can be used for this purpose.

If your sensor is inline, you could also create an atomic IP signature to block all access to this destination IP. Then create an event action filter that will remove the block action for those 5 source IP address.

New Member

Re: Restricting Access from IPS

Thanks for the reply. We have IPS 4240 and server is for client FTP.

I can create a signature to produce alert when there is any connectivity for the destination server ip address. From what I understand it will produce a alert for any activity for the server ip address. Now I don't see any option in Event Action which tells me to allow the connection because I will have 5 ip addresses in attacker list option, this way it will just allow the connection and if it doesn?t match attackers IP address it should block it.



Re: Restricting Access from IPS

I'm not exactly sure what you're asking, but here goes a better explaination:

I will assume your running at least version 5.x and that you are actually inline. each signature can have numerous actions. for example, you can "product alert" AND "deny connection inline". If you create just the signature (atomic ip, specify ip addr options->enter dst ip), all connections to that destination IP will be denied right, including the 5 source IP addresses you want to allow?

So the next step is to create an event action filter. for details please read:

an event action filter is used to SUBTRACT an action from an alarm. you want to remove the "deny connection inline" action from the alarm if the source ip is one of those 5. So you create an event action filter for that signature and for those 5 source IP addresses.

New Member

Re: Restricting Access from IPS

I created Custom Signature with Atomic IP but it's not working. Is there any other settings I will be checking. In the custom signature I only have destination IP address of FTP server.

Thanks for your help.

CreatePlease login to create content