Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
0
Helpful
2
Replies

Proper Way to Configure "Never Block Addresses"?

Go to solution
tscislaw_2
Level 1
Level 1

‎08-26-2003 10:31 AM - edited ‎03-09-2019 04:33 AM

IDS 4210 4.0(2)S47

PIX 515 v6.2(2)

What's the proper way to "never block" an entire network in IDM?

The network is behind the firewall with a private IP range (10.10.10.1-254, for example)that is NAT'd on the outside interface of the PIX.

When one of these IPs gets shunned, I can do a "no shun" using the private IP address and the shun is removed. So...I'm assuming I can input the private IP to be "never blocked".

But...I've done that and the IP's still get shunned at times.

Do I need to use the Global Pool of public addresses these get NAT'd to?

Can I input the following into IDM to "never block" the entire network?:

10.10.10.0

255.255.255.0

Tony

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎08-26-2003 12:17 PM

The addresses you use in the never block command on the sensor must match the location of where the sensor is deployed.

If the sensor is monitoring on your private network and is generating alarms with the private ips then use the private ips when configuring never block.

If the sensor is monitoring on the external network and is generating alarms with the global ips then use the global ips when configuring never block.

So look at your alarms and see what address is being reported in the alarm (private or global). That is the address/network that you would want to configure as never block.

The sensor does not know what private ip addresses are being mapped to what global ip addresses. So a never block on a private address has no affect on whether or not the sensor will block a global address.

The Pix does know the mapping, that is why the no shun command on the Pix will remove it. The Pix knows the mapping while the sensor does not.

Beware that if the sensor is stopped and restart the sensor will re-execute the shun command for all the addresses it thinks shoudl be shunned (even those that you executed the "no shun" command for on the Pix). So it is not a good idea to manually execute the "no shun" command on the Pix when the IDS sensor is actively managing the shun list.

Instead go into IDM on the sensor and delete (remove) the shun:

Step 11 in these instructions: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap5.htm#987105

The sensor will then do the "no shun" automatically for you.

To configure the never block networks:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#32488

(Remember to use the network that matches the ip showing up in the alarm (private or global))

Or use these CLI commands:

configure terminal

service networkaccess

general

never-shun-networks ip-address 1.0.0.0 netmask 255.0.0.0

Replace 1.0.0.0 and 255.0.0.0 with either the private or global network depending on what is being reported in the alarm.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎08-26-2003 12:17 PM

The addresses you use in the never block command on the sensor must match the location of where the sensor is deployed.

If the sensor is monitoring on your private network and is generating alarms with the private ips then use the private ips when configuring never block.

If the sensor is monitoring on the external network and is generating alarms with the global ips then use the global ips when configuring never block.

So look at your alarms and see what address is being reported in the alarm (private or global). That is the address/network that you would want to configure as never block.

The sensor does not know what private ip addresses are being mapped to what global ip addresses. So a never block on a private address has no affect on whether or not the sensor will block a global address.

The Pix does know the mapping, that is why the no shun command on the Pix will remove it. The Pix knows the mapping while the sensor does not.

Beware that if the sensor is stopped and restart the sensor will re-execute the shun command for all the addresses it thinks shoudl be shunned (even those that you executed the "no shun" command for on the Pix). So it is not a good idea to manually execute the "no shun" command on the Pix when the IDS sensor is actively managing the shun list.

Instead go into IDM on the sensor and delete (remove) the shun:

Step 11 in these instructions: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap5.htm#987105

The sensor will then do the "no shun" automatically for you.

To configure the never block networks:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#32488

(Remember to use the network that matches the ip showing up in the alarm (private or global))

Or use these CLI commands:

configure terminal

service networkaccess

general

never-shun-networks ip-address 1.0.0.0 netmask 255.0.0.0

Replace 1.0.0.0 and 255.0.0.0 with either the private or global network depending on what is being reported in the alarm.

0 Helpful

Go to solution
tscislaw_2
Level 1
Level 1
In response to marcabal

‎08-26-2003 12:47 PM

Thanks, that helped.

Tony

0 Helpful
Customers Also Viewed These Support Documents