Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help Configuring PIX as Blocking Device


I have IDS sensors configured to use PIXs as blocking devices. Could anyone tell me how I can configure the firewalls to let the IDS sensors modify their access lists.

I'd appreciate if you would point me to any good documentation about the subject.



Cisco Employee

Re: Help Configuring PIX as Blocking Device

The Pix just needs to be configured to allow the sensor's IP address to telnet or ssh to the Pix.

The sensor needs to be configured to know the Pix's IP address, as well as the type of connection (telnet, or ssh) and the appropriate usernames and passwords to access the Pix.

The sensor will connect to the Pix and use a special "shun" command on the Pix. When using the Pix for blocking, the IDS does not create ACLs (like it does on the router) instead it executes the special "shun" command directly in the Pix's CLI. You can log into the Pix and use the "show shun" command to see what addresses that the sensor has blocked through the Pix's shun command.

If you are using tacacs to limit the commands available to the user ID provided for login from the IDS sensor then I recommend doing the following:

Configure the Pix to allow a telnet connection from the sensor to the Pix with a userid that doesn't have any command restrictions.

Configure the sensor to telnet (instead of ssh) to the Pix.

Use tcpdump or another sniffer program to monitor the traffic between the sensor and the Pix.

Have the sensor block a few ip addresses.

If you analyze the captured traffic you will what commmands the sensor is executing in the Pix CLI. These are the commands that tacacs would need to allow for the userid being used for the sensor.

Then I would suggest switching from telnet to ssh for encrypted communications and locking down the list of available commands through tacacs if you so desire.

NOTE: I don't believe there is a documented list of which commands the sensor uses on the Pix CLI so the tcpdump method is the best nethod to find out what they are.


Re: Help Configuring PIX as Blocking Device


Thanks for the quick response.

Now, I get the following error when I try to add a blocking device to my IDS sensor:

Error: errNotFound Net device references a shun device config record that does not exist. Attempted configuration update was rejected. [0,3]

Any idea why this error is generated?

The sensor knows the firewall's IP, the username, the enable password, and the remote access password. SSH is enabled on the firewall. I tried adding the firewall as a trusted host, but I get the error:

Error: socket connect failed [4,111]

Any help would be appreciated. Thanks!


CreatePlease login to create content