cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
574
Views
0
Helpful
7
Replies

Blocking on a PIX from a 4.X IDS 4235

t.harness
Level 1
Level 1

I am just getting to the point that I want to start blocking some traffic coming in on the PIX. Can someone point me in the right direction on how to set that up the right way. I have a 4235 IDS, and a PIX 520. I am running 6.3.1 and access-lists.

1 Accepted Solution

Accepted Solutions

bfl1
Level 1
Level 1

What are you using for IDS management? If you are using the IDS Device Manager, follow these steps. Note: You're going to shun, not use ACL's. Also, you'll want to be careful with shunning tcp traffic so you don't impose a DoS on yourself.

Configuration

Blocking

Blocking properties (Enable blocking and define other properties)

Logical Devices

Define your PIX

Enable Password

Telnet or SSH password

Blocking Devices

Define your Blocking devices

IP Address of the PIX

NAT Address of the PIX

Apply Logical device (The device you created in the logical devices)

Device Type (PIX, Router, etc)

Communication (Telnet, SSH)

Now, you'll need to edit individual signatures and configure their EventAction properties to shunHost, shunConnection, or reset.

Configuration/Sensing Engine/Signature Configuration Mode

View solution in original post

7 Replies 7

bfl1
Level 1
Level 1

What are you using for IDS management? If you are using the IDS Device Manager, follow these steps. Note: You're going to shun, not use ACL's. Also, you'll want to be careful with shunning tcp traffic so you don't impose a DoS on yourself.

Configuration

Blocking

Blocking properties (Enable blocking and define other properties)

Logical Devices

Define your PIX

Enable Password

Telnet or SSH password

Blocking Devices

Define your Blocking devices

IP Address of the PIX

NAT Address of the PIX

Apply Logical device (The device you created in the logical devices)

Device Type (PIX, Router, etc)

Communication (Telnet, SSH)

Now, you'll need to edit individual signatures and configure their EventAction properties to shunHost, shunConnection, or reset.

Configuration/Sensing Engine/Signature Configuration Mode

Great that helps a lot!! Thanks. I also set it to log, do you know where I would go to see if it is logging?

Assuming that you are using IDM you can go to the Monitoring tab and then select 'IP Logs'. If you have any logs they will be listed. When you click on the hyperlink you can download it to your preferred location and then use Ethereal or your favorite packet tool to examine the log.

Don

Where would you see the shunning or access-list actually being dynamically written to the PIX? Would it be in the form of an ACL or Shun? Thanks

Log into your pix and execute:

sh shun

you can also execute:

who

To see if you IDS is logged into your PIX.

Thank you. Great information.

I am using VMS and Security Monitor. Is there a way to see it in this? Thanks for all your help!!

Review Cisco Networking for a $25 gift card