1

We are running a Cisco ASA 5510 with the IPS module.

We have an internal server that is preforming a lot of SNMP discovery scans and is being blocked and shutdown by the IPS.

Since I'm in control of this server, and this is an expected behaviour I would like to add an exception to the IPS to prevent this server from being blocked.

I have found the following in the Cisco IPS manager Express tool:

Configuration > sensor_name > Sensor Management > Blocking > Blocking Properties, and click Add to add a host or network to the list of addresses never to be blocked.

However, even after I add the servers IP address here it's still being blocked.

Is there another area that I should be adding this server too?

Richard West
  • 2,978
  • 12
  • 44
  • 49

2 Answers2

1

What are the syslogs from the 5510 telling you. The only time that the ASA will actually block any ips is if the IPS module issues a shun on the ASA for that particular IP address. Are you getting shuns? Do the IPs match up between the "Never Block Addresses" and the IP of the server?

Otherwise you're in the right location in the IME.

GregD
  • 8,713
  • 1
  • 24
  • 36
  • The syslogs are never showing any shuns, and I have double checked that the IP address of the system (and in the syslog) is the IP address that has been entered in the IME. – Richard West Jun 09 '09 at 16:37
  • Then it's not your IPS module that is blocking the server. I would investigate other things. Do you have anything on the Blocking > Blocking Devices? You'll have to list your ASA ip address here, if that's what you're using to block. From what you've described, your IPS isn't involved. – GregD Jun 09 '09 at 19:19
1

You may want to add a filter rule for your scanning server.

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/idm/idm_event_action_rules.html#wp2034816

Community
  • 1
Adam
  • 581
  • 3
  • 8
  • After speaking with Cisco I think this is also required. It appears that when a threat is detected with a high risk rating it fires the rule without regard to the "never block addresses" list. That kind of defeats the purpose of the "never block addresses" list IMO. – Richard West Jun 09 '09 at 20:54