cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1219
Views
0
Helpful
3
Replies

Blocking on external router

alkabeer80
Level 1
Level 1

Hi,

i want to configure blocking on external router for some specfic signature, i already have access list on the outside interface to block some traffic and fragment packets with the name ACL_Router_External applied on interface outisde (G0/0)

when i configure blocking on IPS it create another ACL and applied to interface same interface in order to block.

how can i push ACL configuration from IPS to exisiting ACL  (ACL_Router_External) ???

thanks               

1 Accepted Solution

Accepted Solutions

From the link that I posted, here are the steps that the IPS takes when building the ACL:

When the sensor starts up, it reads the contents of the two ACLs. It creates a third ACL with the following entries:

A permit line for the sensor IP address

Copies of all configuration lines of the Pre-Block ACL

A deny line for each address being blocked by the sensor

Copies of all configuration lines of the Post-Block ACL

The sensor applies the new ACL to the interface and direction that you designate.

In your case, you could use the ACL_Router_External as your Post-Block ACL.  The IPS will add a permit for itself and a deny entry for the address being blocked.  It will then append the existing ACL_Router_External entries that you already have configured before pushing the new combined ACL to the g0/0 interface.

View solution in original post

3 Replies 3

Todd Pula
Level 7
Level 7

The blocking feature on the IPS will always push its own ACL to the router interface in question.  When it builds this new ACL, the IPS will reference any pre and post-block ACLs that you have statically configured on the router.  The IPS will then sandwich the deny statements in between for the block traffic in question before deploying the combined ACL to the configured router interface.  You can read more about the feature at the following link:

http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/ime/ime_blocking.html#wp2188519

Hi Todd,

my case is:

ISP ------> (G0/0) External Router ---------> Switch1---------->IPS

                                                    ----------> Switch2 --------->IPS

Interface G0/0 already has ACL which deny unwanted traffic.

I have configured IPS to block some attacks based signature fireing.

Is there any solution i can do ????

thanksss

From the link that I posted, here are the steps that the IPS takes when building the ACL:

When the sensor starts up, it reads the contents of the two ACLs. It creates a third ACL with the following entries:

A permit line for the sensor IP address

Copies of all configuration lines of the Pre-Block ACL

A deny line for each address being blocked by the sensor

Copies of all configuration lines of the Post-Block ACL

The sensor applies the new ACL to the interface and direction that you designate.

In your case, you could use the ACL_Router_External as your Post-Block ACL.  The IPS will add a permit for itself and a deny entry for the address being blocked.  It will then append the existing ACL_Router_External entries that you already have configured before pushing the new combined ACL to the g0/0 interface.

Review Cisco Networking for a $25 gift card