topic Re: Blocking on external router in Network Security

Blocking on external router

alkabeer80 — Sun, 10 Mar 2019 20:42:51 GMT

Hi,

i want to configure blocking on external router for some specfic signature, i already have access list on the outside interface to block some traffic and fragment packets with the name ACL_Router_External applied on interface outisde (G0/0)

when i configure blocking on IPS it create another ACL and applied to interface same interface in order to block.

how can i push ACL configuration from IPS to exisiting ACL (ACL_Router_External) ???

thanks

Blocking on external router

Todd Pula — Mon, 10 Dec 2012 05:04:22 GMT

The blocking feature on the IPS will always push its own ACL to the router interface in question. When it builds this new ACL, the IPS will reference any pre and post-block ACLs that you have statically configured on the router. The IPS will then sandwich the deny statements in between for the block traffic in question before deploying the combined ACL to the configured router interface. You can read more about the feature at the following link:

http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/ime/ime_blocking.html#wp2188519

Blocking on external router

alkabeer80 — Mon, 10 Dec 2012 05:16:19 GMT

Hi Todd,

my case is:

ISP ------> (G0/0) External Router ---------> Switch1---------->IPS

----------> Switch2 --------->IPS

Interface G0/0 already has ACL which deny unwanted traffic.

I have configured IPS to block some attacks based signature fireing.

Is there any solution i can do ????

thanksss

Re: Blocking on external router

Todd Pula — Mon, 10 Dec 2012 05:36:29 GMT

From the link that I posted, here are the steps that the IPS takes when building the ACL:

When the sensor starts up, it reads the contents of the two ACLs. It creates a third ACL with the following entries:

•A permit line for the sensor IP address

•Copies of all configuration lines of the Pre-Block ACL

•A deny line for each address being blocked by the sensor

•Copies of all configuration lines of the Post-Block ACL

The sensor applies the new ACL to the interface and direction that you designate.

In your case, you could use the ACL_Router_External as your Post-Block ACL. The IPS will add a permit for itself and a deny entry for the address being blocked. It will then append the existing ACL_Router_External entries that you already have configured before pushing the new combined ACL to the g0/0 interface.