https://community.cisco.com/t5/network-security/ips-host-block-based-on-custom-criteria/m-p/2470620#M45806 <HTML><HEAD></HEAD><BODY><P>Hello Paul,</P><P></P><P>Yes, you can do it..</P><P>1. Create an access-list with&nbsp; the source subnet/host along with ports you want to take care of.</P><P>2. Call that access-list in class-map</P><P>3. Call this class-map in policy-map and give the command ips promiscuous fail-open/fail-close.</P><P>4. Apply policy-map on particular interface.</P><P></P><P>ciscoasa(config)#access−list traffic_for_ips permit tcp host x.x.x.x any eq 22</P><P>ciscoasa(config)#class−map ips_class_map</P><P>ciscoasa(config−cmap)#match access−list traffic_for_ips</P><P></P><P>ciscoasa(config)#policy−map interface-policy</P><P>ciscoasa(config−pmap)#class ips_class_map</P><P>ciscoasa(config−pmap−c)#ips promiscuous fail−open</P><P></P><P><EM>!−−− Two decisions need to be made.</EM></P><P><EM>!−−− First, does the AIP−SSM function</EM></P><P><EM>!−−− in inline or promiscuous mode?</EM></P><P><EM>!−−− Second, does the ASA fail−open or fail−closed?</EM></P><P></P><P>ciscoasa(config)#service−policy interface_policy interface inside</P></BODY></HTML> Sun, 09 Feb 2014 05:11:19 GMT Poonam Garg 2014-02-09T05:11:19Z https://community.cisco.com/t5/network-security/ips-host-block-based-on-custom-criteria/m-p/2470619#M45803 <P>Back when I was using Microsoft ISA I was able to setup rules that would (permanently) block a host exhibiting certain behaviour. I am trying to achieve the same using a Cisco ASA IPS.</P><P></P><P>We have certain special ports open on IP addresses but the common attack ports (22, 3389...) are blocked. I would liek to setup a rule where a host is immediatelly shunned when they try to hit such a port so that the host cannot even proceed to the open ports. To me anyone trying to access these ports is up to no good and should be blocked.</P><P></P><P>Is there any way to do this on Cisco ASA?</P> Sun, 10 Mar 2019 13:08:25 GMT https://community.cisco.com/t5/network-security/ips-host-block-based-on-custom-criteria/m-p/2470619#M45803 pdeleanu 2019-03-10T13:08:25Z https://community.cisco.com/t5/network-security/ips-host-block-based-on-custom-criteria/m-p/2470620#M45806 <HTML><HEAD></HEAD><BODY><P>Hello Paul,</P><P></P><P>Yes, you can do it..</P><P>1. Create an access-list with&nbsp; the source subnet/host along with ports you want to take care of.</P><P>2. Call that access-list in class-map</P><P>3. Call this class-map in policy-map and give the command ips promiscuous fail-open/fail-close.</P><P>4. Apply policy-map on particular interface.</P><P></P><P>ciscoasa(config)#access−list traffic_for_ips permit tcp host x.x.x.x any eq 22</P><P>ciscoasa(config)#class−map ips_class_map</P><P>ciscoasa(config−cmap)#match access−list traffic_for_ips</P><P></P><P>ciscoasa(config)#policy−map interface-policy</P><P>ciscoasa(config−pmap)#class ips_class_map</P><P>ciscoasa(config−pmap−c)#ips promiscuous fail−open</P><P></P><P><EM>!−−− Two decisions need to be made.</EM></P><P><EM>!−−− First, does the AIP−SSM function</EM></P><P><EM>!−−− in inline or promiscuous mode?</EM></P><P><EM>!−−− Second, does the ASA fail−open or fail−closed?</EM></P><P></P><P>ciscoasa(config)#service−policy interface_policy interface inside</P></BODY></HTML> Sun, 09 Feb 2014 05:11:19 GMT https://community.cisco.com/t5/network-security/ips-host-block-based-on-custom-criteria/m-p/2470620#M45806 Poonam Garg 2014-02-09T05:11:19Z https://community.cisco.com/t5/network-security/ips-host-block-based-on-custom-criteria/m-p/2470621#M45809 <HTML><HEAD></HEAD><BODY><P>you can take an idea for this also:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/clissm.html#wp1033926">http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/clissm.html#wp1033926</A></P></BODY></HTML> Thu, 13 Feb 2014 05:54:18 GMT https://community.cisco.com/t5/network-security/ips-host-block-based-on-custom-criteria/m-p/2470621#M45809 Naveen Kumar 2014-02-13T05:54:18Z https://community.cisco.com/t5/network-security/ips-host-block-based-on-custom-criteria/m-p/2470622#M45811 <HTML><HEAD></HEAD><BODY><P>Sending Traffic to the IPS Module</P><P></P><P>If your model supports the IPS module for intrusion prevention, then you can send traffic to the module for inspection. The IPS module monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When the system detects unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the device manager. Other legitimate connections continue to operate independently without interruption. For more information, see the documentation for your IPS module. </P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mode_contexts.html">http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mode_contexts.html</A></P></BODY></HTML> Fri, 21 Feb 2014 13:37:58 GMT https://community.cisco.com/t5/network-security/ips-host-block-based-on-custom-criteria/m-p/2470622#M45811 blenka 2014-02-21T13:37:58Z