04-29-2014 09:03 PM - edited 03-10-2019 06:11 AM
Hi ,
Using ASA-5545 IPS and using IME to manage the IPS.
What is the best way and procedure to block and IP / IP range?
Also, how can we whitelist an IP?
Regards,
Jhun
04-30-2014 05:22 AM
Please use the built in Shun command to block IP range
04-30-2014 08:15 AM
If you want to blacklist a large list of IP addresses (like the SpamHaus DROP list, or other known-malicious sites, for example) then create a custom IP signature in IME.
Use the Atomic IP engine and specify the destination IP Address. Use a variable for the list of IPs and in that variable you'll put your blocklist.
Whitelists are Event Action Overrides. Just specify the IP and all of the sigs that you want it to be excluded from (including "all")
I have done a ton of work with blacklisting IP's in my 20+ IPS sensors. I have written quite a few scripts to automate the update of the blacklist variables, but that uses Cisco Security Manager (CSM). I looked at scripting this with EXPECT scripts but the CLI for the IPS sensors (plus the fact that I had 20 of them and was using CSM) made it too difficult. If anyone else wants the scripts just let me know. I think I've posted them before though.
05-01-2014 07:12 PM
Thanks for the reply.
I will try your recommendation.
BTW, i tried to block an attacker IP from the Event Monitoring of IME.
1. Stop Attacker -> Using Inline Deny . It led me to time-based actions.
2. Then I enter the information . But after a few minutes. The entry was gone.
Was there a time limit for the rule to be taken effect? How to make it permanent?
Thanks.
05-05-2014 07:51 AM
check the following link
http://www.cisco.com/c/en/us/support/docs/security/ips-4200-series-sensors/111001-shun-block-config-ex.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide