Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDS Reports Incorrectly About Blocking Device (PIX)


I just added a PIX515E to my IDS 4210 (4.0)S37 as a blocking device. However, the IDS reports that the PIX does not support ACLs, which is not correct. The PIX has an access list defined for its outside interface.

When I test the IDS configuration, it does not blocking the attacker's IP as expected.

I would appreciate any help. Thanks!


Cisco Employee

Re: IDS Reports Incorrectly About Blocking Device (PIX)

The IDS sensors do not use ACLs to do blocking on the Pix. (Unlike routers where the IDS creates ACLs)

Instead the Pix has a special command put in specifically for blocking with an IDS sensor.

That command is the "shun" command, and is available directly in the Pix CLI.

The "shun" command is not specific to an interface of the Pix, instead the Pix automatically applies it to all interfaces.

SO you just need to enter the Pix login information and do not need to enter any information about any of the interfaces.

You can execute "show shun" on the Pix to see what addresses that the IDS is currently shunning on the Pix.

NOTE: You need to run a version of the Pix that has this "shun" command in it.