Re: How to unblock a web site

Smailmilak83_2 · ‎08-24-2010

Hi,

I dont have any experience with the Cisco IPS product.

I can not open a web site because of the IPS. When I shut down the IPS module the web site can be accessed.

Can you guys tell me how to allow access to a particular web site?

terrygwazdosky · ‎08-24-2010

You can edit or disable individual signatures, as well as create filters, but unless you know for sure that it is a false positive you could be opening a security hole.

praprama · ‎08-24-2010

Hi,

With the IPS active, try accessing the particular website and then view the events on the IPS using IDM. You will see some signature firing that is blocking access to that website.

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_monitoring.html#wp1124764

You can then try disabling that particular signature or tune it to allow access to this website.

Let me know if this helps.

Regards,

Prapanch

Smailmilak83_2 · ‎08-26-2010

I checked the events and I can not find anything.

I see only this: CMP Network Sweep w/Echo id=2100. I can not find my IP address in this log.

The site is www.warez-bb.org. It probably has a bad reputation.

Is there a way to access this site with IPS?

praprama · ‎08-27-2010

Hi,

If the IPS is dropping the connections, you should see events corresponding to it. Let's try the following. Create an access-list of the following format assuming the IP of "warez-bb.org" is 1.1.1.1 (found out using "nslookup").

access-list ips permit ip any host 1.1.1.1

class-map IPS

match access-list ips

policy-map global_policy

class IPS

ips inline fail-open

service-policy global_policy global

By doing the above, we are just passing traffic destined to the site "www.warez-bb.org" thorugh the IPS. After you have done th above, please try accessing the site again and now whatever events you see on the IPS should be related to this one. Hope this helps.

Regards,

Prapanch