Configuring Ip Audit For Basic Ips Support - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring IP Audit for Basic IPS Support
TCP out 64.101.68.161:4300 in 10.86.194.60:23 idle 0:00:00 bytes 1297 flags UIO
To shun connections from the source IP address, enter the following command:
Step 2
hostname(config)# shun src_ip [ dst_ip src_port dest_port [ protocol ]] [vlan vlan_id ]
If you enter only the source IP address, then all future connections are shunned; existing connections
remain active.
To drop an existing connection, as well as blocking future connections from the source IP address, enter
the destination IP address, source and destination ports, and the protocol. By default, the protocol is 0
for IP.
For multiple context mode, you can enter this command in the admin context, and by specifying a
VLAN ID that is assigned to an interface in other contexts, you can shun the connection in other
contexts.
To remove the shun, enter the following command:
Step 3
hostname(config)# no shun src_ip [vlan vlan_id ]
Configuring IP Audit for Basic IPS Support
The IP audit feature provides basic IPS support for a security appliance that does not have an AIP SSM.
It supports a basic list of signatures, and you can configure the security appliance to perform one or more
actions on traffic that matches a signature.
To enable IP audit, perform the following steps:
To define an IP audit policy for informational signatures, enter the following command:
Step 1
hostname(config)# ip audit name name info [action [alarm] [drop] [reset]]
Where alarm generates a system message showing that a packet matched a signature, drop drops the
packet, and reset drops the packet and closes the connection. If you do not define an action, then the
default action is to generate an alarm.
To define an IP audit policy for attack signatures, enter the following command:
Step 2
hostname(config)# ip audit name name attack [action [alarm] [drop] [reset]]
Where alarm generates a system message showing that a packet matched a signature, drop drops the
packet, and reset drops the packet and closes the connection. If you do not define an action, then the
default action is to generate an alarm.
To assign the policy to an interface, enter the following command:
Step 3
ip audit interface interface_name policy_name
To disable signatures, or for more information about signatures, see the ip audit signature command in
Step 4
the Cisco Security Appliance Command Reference.
Cisco Security Appliance Command Line Configuration Guide
23-18
Chapter 23
Preventing Network Attacks
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
