Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDS device blocking device configuration

I don't understand why when I use the ids blocking device feature that it puts a permit statement in the created access-list that allows my inside address (in) from the outside. Does this defeat the anti spoofing setup in a old access-list inbound on the cisco router serial0 interface? Is the serial0 interface, the outermost interface the one I need to use for shunning or should I used the fastethernet 0 because if I use the fa 0 that would make more sense than that outermost serial 0.

2 REPLIES
Cisco Employee

Re: IDS device blocking device configuration

The standard ACL created by the sensor will contain:

permit line for the sensor address (or the sensor's nat'd address)

deny lines for each block

permit ip any any

If pre and/or post block acls are being used then the ACL will contain:

permit line for the sensor address (or the sensor's nat'd address)

contents of the pre block acl if configured

deny lines for each block

contents of the post block acl (or a permit ip any any if no post shun was configured)

That initial permit line for the sensor address is necessary when the sensor is connecting to the same interface of the router that the sensor is controlling. Without it the sensor could wind up blocking itself, and no longer be able to change acls on the router.

In most cases, however, the sensor is telneting to the router on the router's internal interface, but is applying acls to the routers external interface (serial0 in your environment). In these situations you can keep the sensor from putting in that first permit line for the sensor's address. In the configuration tool there should be a configuration entry to allow the sensor to block it's own ip address. The actual token in managed.conf is called AllowSensorShun. If you enable or check this configuration then the sensor will not put in the initial permit line.

If you also don't want the default "permit ip any any" that gets placed at the bottom of the acl, you simply need to designate a post block acl for the sensor to use instead.

SO in answer to your question: You can keep using serial0 as the blocking interface. You just need to configure the sensor to allow the sensor to block it's own ip address, and configure a post block acl for what you want at the bottom of the acl.

New Member

Re: IDS device blocking device configuration

Thanks

97
Views
0
Helpful
2
Replies