Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Proper Way to Configure "Never Block Addresses"?

IDS 4210 4.0(2)S47

PIX 515 v6.2(2)

What's the proper way to "never block" an entire network in IDM?

The network is behind the firewall with a private IP range (10.10.10.1-254, for example)that is NAT'd on the outside interface of the PIX.

When one of these IPs gets shunned, I can do a "no shun" using the private IP address and the shun is removed. So...I'm assuming I can input the private IP to be "never blocked".

But...I've done that and the IP's still get shunned at times.

Do I need to use the Global Pool of public addresses these get NAT'd to?

Can I input the following into IDM to "never block" the entire network?:

10.10.10.0

255.255.255.0

Tony

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Proper Way to Configure "Never Block Addresses"?

The addresses you use in the never block command on the sensor must match the location of where the sensor is deployed.

If the sensor is monitoring on your private network and is generating alarms with the private ips then use the private ips when configuring never block.

If the sensor is monitoring on the external network and is generating alarms with the global ips then use the global ips when configuring never block.

So look at your alarms and see what address is being reported in the alarm (private or global). That is the address/network that you would want to configure as never block.

The sensor does not know what private ip addresses are being mapped to what global ip addresses. So a never block on a private address has no affect on whether or not the sensor will block a global address.

The Pix does know the mapping, that is why the no shun command on the Pix will remove it. The Pix knows the mapping while the sensor does not.

Beware that if the sensor is stopped and restart the sensor will re-execute the shun command for all the addresses it thinks shoudl be shunned (even those that you executed the "no shun" command for on the Pix). So it is not a good idea to manually execute the "no shun" command on the Pix when the IDS sensor is actively managing the shun list.

Instead go into IDM on the sensor and delete (remove) the shun:

Step 11 in these instructions: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap5.htm#987105

The sensor will then do the "no shun" automatically for you.

To configure the never block networks:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#32488

(Remember to use the network that matches the ip showing up in the alarm (private or global))

Or use these CLI commands:

configure terminal

service networkaccess

general

never-shun-networks ip-address 1.0.0.0 netmask 255.0.0.0

Replace 1.0.0.0 and 255.0.0.0 with either the private or global network depending on what is being reported in the alarm.

2 REPLIES
Cisco Employee

Re: Proper Way to Configure "Never Block Addresses"?

The addresses you use in the never block command on the sensor must match the location of where the sensor is deployed.

If the sensor is monitoring on your private network and is generating alarms with the private ips then use the private ips when configuring never block.

If the sensor is monitoring on the external network and is generating alarms with the global ips then use the global ips when configuring never block.

So look at your alarms and see what address is being reported in the alarm (private or global). That is the address/network that you would want to configure as never block.

The sensor does not know what private ip addresses are being mapped to what global ip addresses. So a never block on a private address has no affect on whether or not the sensor will block a global address.

The Pix does know the mapping, that is why the no shun command on the Pix will remove it. The Pix knows the mapping while the sensor does not.

Beware that if the sensor is stopped and restart the sensor will re-execute the shun command for all the addresses it thinks shoudl be shunned (even those that you executed the "no shun" command for on the Pix). So it is not a good idea to manually execute the "no shun" command on the Pix when the IDS sensor is actively managing the shun list.

Instead go into IDM on the sensor and delete (remove) the shun:

Step 11 in these instructions: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap5.htm#987105

The sensor will then do the "no shun" automatically for you.

To configure the never block networks:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#32488

(Remember to use the network that matches the ip showing up in the alarm (private or global))

Or use these CLI commands:

configure terminal

service networkaccess

general

never-shun-networks ip-address 1.0.0.0 netmask 255.0.0.0

Replace 1.0.0.0 and 255.0.0.0 with either the private or global network depending on what is being reported in the alarm.

New Member

Re: Proper Way to Configure "Never Block Addresses"?

Thanks, that helped.

Tony

392
Views
0
Helpful
2
Replies