Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
0
Helpful
2
Replies

IDS device blocking device configuration

byron.alexander
Level 1
Level 1

‎08-18-2002 08:10 AM - edited ‎03-08-2019 11:58 PM

I don't understand why when I use the ids blocking device feature that it puts a permit statement in the created access-list that allows my inside address (in) from the outside. Does this defeat the anti spoofing setup in a old access-list inbound on the cisco router serial0 interface? Is the serial0 interface, the outermost interface the one I need to use for shunning or should I used the fastethernet 0 because if I use the fa 0 that would make more sense than that outermost serial 0.

Labels:
0 Helpful
2 Replies 2

marcabal
Cisco Employee
Cisco Employee

‎08-18-2002 01:44 PM

The standard ACL created by the sensor will contain:

permit line for the sensor address (or the sensor's nat'd address)

deny lines for each block

permit ip any any

If pre and/or post block acls are being used then the ACL will contain:

permit line for the sensor address (or the sensor's nat'd address)

contents of the pre block acl if configured

deny lines for each block

contents of the post block acl (or a permit ip any any if no post shun was configured)

That initial permit line for the sensor address is necessary when the sensor is connecting to the same interface of the router that the sensor is controlling. Without it the sensor could wind up blocking itself, and no longer be able to change acls on the router.

In most cases, however, the sensor is telneting to the router on the router's internal interface, but is applying acls to the routers external interface (serial0 in your environment). In these situations you can keep the sensor from putting in that first permit line for the sensor's address. In the configuration tool there should be a configuration entry to allow the sensor to block it's own ip address. The actual token in managed.conf is called AllowSensorShun. If you enable or check this configuration then the sensor will not put in the initial permit line.

If you also don't want the default "permit ip any any" that gets placed at the bottom of the acl, you simply need to designate a post block acl for the sensor to use instead.

SO in answer to your question: You can keep using serial0 as the blocking interface. You just need to configure the sensor to allow the sensor to block it's own ip address, and configure a post block acl for what you want at the bottom of the acl.

0 Helpful

byron.alexander
Level 1
Level 1
In response to marcabal

‎08-19-2002 08:47 AM

Thanks

0 Helpful
Customers Also Viewed These Support Documents