Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
4
Replies

IDS Shunning using PIX

pankajp_cmc
Level 1
Level 1

‎10-14-2004 11:22 AM - edited ‎02-20-2020 11:41 PM

Hi,

I have installed IDS 4235 and PIX 535 (Active-Active) mode.

I have configured blocking on the IDS and have enable shunHost for FTP authorisation attack.

It works fine except for even if the the timer of shun expires which I have set from IDM (to 5 min),my connection is not resuming.

I confirmed this by pinging as well as issuing

show shun statistics command on PIX.

The time keeps on increasing but the shun command does not gets out of my PIX unless I clear it manually.

Does this mean that the IDS does not clears the shun command of the PIX dynamically even after the IDLE time of the session expires.

Kindly suggest on the same.

Regards,

Pankaj P.

0 Helpful
4 Replies 4

pcomeaux
Cisco Employee
Cisco Employee

‎10-16-2004 02:36 PM

Hi Pankaj -

The shun performed on the Pix should be cleared by the IDS once the timer expires.

Could you share more information with us, such as the Version of Code and the Signature level on the 4235 and the PixOS version of the 535?

Also, please tell us if the address being shunned is a NAT'd address.

thanks

peter

0 Helpful

pankajp_cmc
Level 1
Level 1
In response to pcomeaux

‎10-17-2004 08:35 PM

Hi Peter,

The Version of Code is 4.1 and the signature version is s117.

As for the PIX the IOS version is 6.2(3).

The IP address of the client is 172.16.1.1 and the FTP server kept in DMZ is 192.168.1.1.

The client goes into DMZ with the same IP .

i.e. static(inside,DMZ) 192.168.1.2 172.16.1.1

The shunned address is 172.16.1.1 (Source) with 192.168.1.1 (Destination) with some source port and destination port as 21.

Any more information, kindly let me know.

Thanks,

Pankaj P.

0 Helpful

pcomeaux
Cisco Employee
Cisco Employee
In response to pankajp_cmc

‎10-19-2004 05:50 PM

Hey Pankaj -

Can you share with us some outputs of "show shun stat" from the Pix? Send this output during and after the shun's active state. I'd like to see if the hit count on the statistics output increases after the shun expires on the IDS.

There's other things you can do if you have the time. You could sniff the link going to the Pix or from the sensor that would show if the IDS is trying to log back into the Pix to remove the Block.

I've searched all open/closed TAC cases for assistance and have not found anything to help us there.

I have a question, though, about your static above.

Could you verify the static for me? It doesn't seem to fit your description of your NAT setup.

thanks

peter

0 Helpful

pankajp_cmc
Level 1
Level 1
In response to pcomeaux

‎10-20-2004 02:20 AM

Hi Peter,

The shun statistics do increase even after the timer on IDS has expired.

As for the NAT I dont find anything wrong in it as the shun is being done on the Original IP rather than the NAted IP.

Any more information, kindly mail me back.

Thanks,

Pankaj P.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card