Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
575
Views
0
Helpful
7
Replies

Blocking on a PIX from a 4.X IDS 4235

Go to solution
t.harness
Level 1
Level 1

‎01-27-2004 05:59 AM - edited ‎02-20-2020 11:12 PM

I am just getting to the point that I want to start blocking some traffic coming in on the PIX. Can someone point me in the right direction on how to set that up the right way. I have a 4235 IDS, and a PIX 520. I am running 6.3.1 and access-lists.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bfl1
Level 1
Level 1

‎01-27-2004 08:30 AM

What are you using for IDS management? If you are using the IDS Device Manager, follow these steps. Note: You're going to shun, not use ACL's. Also, you'll want to be careful with shunning tcp traffic so you don't impose a DoS on yourself.

Configuration

Blocking

Blocking properties (Enable blocking and define other properties)

Logical Devices

Define your PIX

Enable Password

Telnet or SSH password

Blocking Devices

Define your Blocking devices

IP Address of the PIX

NAT Address of the PIX

Apply Logical device (The device you created in the logical devices)

Device Type (PIX, Router, etc)

Communication (Telnet, SSH)

Now, you'll need to edit individual signatures and configure their EventAction properties to shunHost, shunConnection, or reset.

Configuration/Sensing Engine/Signature Configuration Mode

View solution in original post

0 Helpful
7 Replies 7

Go to solution
bfl1
Level 1
Level 1

‎01-27-2004 08:30 AM

What are you using for IDS management? If you are using the IDS Device Manager, follow these steps. Note: You're going to shun, not use ACL's. Also, you'll want to be careful with shunning tcp traffic so you don't impose a DoS on yourself.

Configuration

Blocking

Blocking properties (Enable blocking and define other properties)

Logical Devices

Define your PIX

Enable Password

Telnet or SSH password

Blocking Devices

Define your Blocking devices

IP Address of the PIX

NAT Address of the PIX

Apply Logical device (The device you created in the logical devices)

Device Type (PIX, Router, etc)

Communication (Telnet, SSH)

Now, you'll need to edit individual signatures and configure their EventAction properties to shunHost, shunConnection, or reset.

Configuration/Sensing Engine/Signature Configuration Mode

0 Helpful

Go to solution
t.harness
Level 1
Level 1
In response to bfl1

‎01-27-2004 10:01 AM

Great that helps a lot!! Thanks. I also set it to log, do you know where I would go to see if it is logging?

0 Helpful

Go to solution
dblairii
Level 1
Level 1
In response to t.harness

‎01-27-2004 10:40 AM

Assuming that you are using IDM you can go to the Monitoring tab and then select 'IP Logs'. If you have any logs they will be listed. When you click on the hyperlink you can download it to your preferred location and then use Ethereal or your favorite packet tool to examine the log.

Don

0 Helpful

Go to solution
dpatkins
Level 1
Level 1
In response to dblairii

‎01-27-2004 12:48 PM

Where would you see the shunning or access-list actually being dynamically written to the PIX? Would it be in the form of an ACL or Shun? Thanks

0 Helpful

Go to solution
bfl1
Level 1
Level 1
In response to dpatkins

‎01-27-2004 02:18 PM

Log into your pix and execute:

sh shun

you can also execute:

who

To see if you IDS is logged into your PIX.

0 Helpful

Go to solution
dpatkins
Level 1
Level 1
In response to bfl1

‎01-27-2004 02:46 PM

Thank you. Great information.

0 Helpful

Go to solution
t.harness
Level 1
Level 1
In response to dblairii

‎01-28-2004 07:33 AM

I am using VMS and Security Monitor. Is there a way to see it in this? Thanks for all your help!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card