We have Cisco ASA (5500 series) with an IPS module.
I am trying to figure out how to unblock a computer that has been blocked by our IPS. I think the command is "no shun <ip address>" but that has no effect. I run that command in the ASDM GUI and it looks like it runs with no errors but the client computer is still blocked. How do I unblock an "attacker/victim pair" blockage? Maybe my assumption is wrong about how this actually is implemented. I assumed that the IPS was running a "shun" command in the firewall but now I am guessing that is wrong.
We are using the IPS Manager Express version 7.2.1
Any help on how to unblock an IP pair would be much appreciated.
We will first have to identify which device is blocking the traffic, and why. That's in case they are blocking it.
The ASA will automatically shun if it is configured to do that, using the threat detection feature.
The IPS will add it to a list of denied hosts, browse to Monitoring > Denied Hosts [or something like that].
If the ASA is messing this up, you can exempt this host's from being shunned.
If you find out that the module is the culprit, you can create a traffic filter and remove all the denying actions that the IPS might apply to that host.
Thanks for your help with this issue. I should have been a little more specific. I am not trying to figure out how to prevent blockage in the future, I want to immediately unblock an IP that was blocked by a rule (we are testing a custom rule so we are intentionally triggering the rule).
Thanks again for any help you can provide.
Ok, in order to unblock a host that has been previously denied by a rule you can go to the monitoring section and check the "denied hosts" section. [Not sure if that's the real name]
The host that you mentioned will be in there and you can remove it from the list.
In case you don't want to block it anymore, you can configure event action filters.