Cisco Firewall :: ASA 5510 / Blocking / Shunning Hosts With Service Policy Rules?
Dec 20, 2012
I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent. how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing?
View 2 Replies
ADVERTISEMENT
Jan 7, 2013
We have a problem with some websites being blocked every now and then. Everyone inside can access this external website for weeks, and then suddenly it's not available for a few hours, and then it comes back. All without me making any changes to the firewall, ASA5510. The external website that has nothing to do with us can be accessed from anywhere outside our network, example on my iphone through Verizon.
We have not set up any rules about blocking websites, all I found was the Default Service Policy. After backing up and then deleting the rule we are able to access all sites.
View 2 Replies
View Related
Feb 21, 2013
I have an issue about ACS v5.3 Appliance.I have an ACS v 5.3 wo authenticate wireless users, together with a cisco wlc. One profile is to corporate users and the second profile is to guest.
The corporate users should authenticate with Active Directory and the guest with WLC. Guest users should authenticate with the ACS Local Database. I have configurate two service selection policy that match with protocol Radius. The first rule is to users of Active Directory and the second is to users in
the Local Database of ACS.When i try to authenticate users with active directory is OK, but when try to authenticate users with Local Database (Guest Portal) the ACS try to find the
the internal user in the Active Directory, because math the first rule, and the second profile can not authenticate.When I change the order, first the Rule of internal users and second the rule of users of Active Directory, the internal users can authenticate in to ACS, but
the users in the Active Directory can not authenticate.I think my ACS only authenticate the first rule of radius to Active Directory, no two rules of radius in the same time. Or maybe exists an issue in OS of the ACS.The authentication by separately is OK.
View 5 Replies
View Related
Feb 7, 2012
In my Cisco ASA 5510 in release 8.2, I have an extrage behavior in the output of "show service-police" command. The issue is that I create a class-map to limit trafic in one of ASA interfaces and I applied in a service policy. This is the configuration:
access-list ACL-Limitada extended permit ip host srv-proxy any
access-list ACL-Limitada extended permit ip any host srv-proxy
access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data
access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp
access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp-data
access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp
[code]...
View 1 Replies
View Related
Jan 7, 2012
Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a different outside network, but every time we get that far our internal network crashes. Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to the workstations is being blocked by the default implicit rule under the access rule heading that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to the servers is being allowed though. In an effort to start over again, the Cisco ASA has been Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the inside network, since most of our equipment will always be assigned statics. We reset our static NAT policies, and seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. [code]
View 10 Replies
View Related
May 16, 2011
When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
my ip service object
object-group service g-as400 description access client 2 as400 machine service-object tcp-udp destination eq 397 service-object tcp destination eq 137 service-object tcp destination eq 2001 service-object tcp destination eq 3000 service-object tcp destination eq 445 service-object tcp destination range 446 447 service-object tcp destination eq 449 service-object tcp destination eq 5010 service-object tcp destination eq 5544 service-object tcp destination eq 5555 service-object tcp destination range 8470 8476 service-object tcp destination eq 8480 service-object tcp destination eq
[code]...
View 8 Replies
View Related
Oct 31, 2012
I've been attempting to fix this issue or confirm the issue is not with the firewall and I have kind of run into a road block. This is my problem as I understand it. A client of mine has a VPN tunnel built over a point to point connection of some kind (this client is fairly new to me) and is unable to access some hosts on the remote end of the VPN tunnel from the LAN side of the firewall. The LAN IPs are NAT'd as they leave the network from the HPH-Point-to-Point interface to the remote end. Just as a point of reference, the LAN IP of 129.200.11.19 is said to be working, however the range of 129.200.20.25 - .50 is not. I've tried packet-tracer but with the NAT happening over a VPN tunnel I am not sure if I am doing it correctly.
View 1 Replies
View Related
Feb 28, 2012
We have a situation where services are stopped on the real servers. The probes fail and we confirm the services are not running on the server. We cannot access the ports from the ACE directly. We can still however acces the VIP on the TCP port (L4 VIP class-map). So we can still telnet to the VIP on the port from thr Client side of the network.This is on ACE 20 Modules deployed in Routed mode. The version of software is A2(3.3).
Tried removing multi-match and loadbalance policies as well as class-map and re-applying then re-appyling the service policy to interface. Same behavior,This is a problem at another level as some services are being monitored by GSS via TCP keep-Alive and this obviuosly causes a problem as the service then never goes off-line.
View 10 Replies
View Related
Dec 10, 2012
I have just started to use an ASA 5510 for my network. I use the DHCP server on it and after i made the change over to ASA hosts started loosing their IP address. This was not a problem before on my old firewall that aso had the roll of DHCP.
Is it possible that something is wrongly sett on the asa? All traffic is flowing normaly when this does not happen.
Information:
Lease length: 172800
address pool: 134 addresses
hosts: around 45 + mobile units 45
View 3 Replies
View Related
Aug 13, 2012
When i create a rule and enable icmp in ASA inside to outside direction to testing purpose, but I can't ping outside address ,
access-list ICMP extended permit icmp any any
access-group ICMP in interface inside
LOGG:::
ping 8.8.8.8
%ASA-3-106014: Deny inbound icmp src outside:122.255.3.1 dst inside:202.124.160.1 (type 0, code 0)
%ASA-3-106014: Deny inbound icmp src outside:122.255.3.1 dst inside:202.124.160.1 (type 0, code 0)
then I have permitted icmp for return path then it works, configs and logs are followed,
access-list ICMP extended permit icmp any any
access-group ICMP in interface outside
LOGG:::
ping 8.8.8.8
%ASA-6-302020: Built inbound ICMP connection for faddr 122.255.3.1/0 gaddr 202.124.160.1/14 laddr 192.168.1.1/14
%ASA-6-302021: Teardown ICMP connection for faddr 122.255.3.1/0 gaddr 202.124.160.1/14 laddr 192.168.1.1/14
View 1 Replies
View Related
May 22, 2011
This is an issue I'm currently exploring with TAC, but I'd like a quick reality check. We have a pair of ASA 5510s in Active/Standby stateful failover mode. In some tests failing over from the active to the standby system breaks SSH connections from hosts on our Inside to hosts on our DMZs.
A specific example is our backup server on Inside which is connecting to our mail server in the DMZ2, and running ssh/rsync/scp for the backups. A running backup job fails with network timeout errors when I trigger the failover. Also, sometimes the mail server loses or hangs on its connection to our LDAP server in DMZ1, although sometimes this connection is fine (DMZ2 is more "inside" than DMZ1, and I assume the LDAP look ups are many short connections, vs the rsync backup being one long connection).
TAC has suggested that open SSH sesions will always fail when the ASAs failover. I believe this is true for management connections to the ASA, but I don't see why it should be the case for an SSH session through the ASA to a server in the DMZ. TAC has suggested that I open some connections to servers in the DMZ and test what happens, and I can do so this Wednesday morning during a maintenance window.But, in general, is this true? That is, given an SSH session from a workstation to a server, should a failover break it? If so, why?
The setup is:
MyWorkStation-INSIDE -> CoreSwitch (vlan 10) -> [ ASA-INSIDE - - (ASA-internal-connection) - - ASA-DMZ ] -> CoreSwitch (vlan 3) -> TargetServer
That is, all our inside VLANs are routed by our core L2/3 switch to a VLAN that connects to the Primary and Secondary ASA's INSIDE ports. There are also seperate VLANS on the core for the ASA's DMZ1 and DMZ2 connections, which go to both ASAs and to any servers in these zones.
The description of the ASA Stateful failover [URL]says: "The state information passed to the standby unit includes these:
· The NAT translation table
· The TCP connection states
· The UDP connection states
· The ARP table
· The Layer 2 bridge table (when it runs in the transparent firewall mode)
· The HTTP connection states (if HTTP replication is enabled)
· The ISAKMP and IPSec SA table
· The GTP PDP connection database
[code]....
I'm not quite sure what the ISAKMP and IPSec SA tables do, but shouldn't an SSH connection through the ASA be just a TCP connection? "For us, SSH from Inside to hosts in the DMZ survives failover," or, "Yah, failover breaks all SSH sessions."
View 2 Replies
View Related
Dec 4, 2011
I have an ASA 5510 which i've configured for internet access.I can connect to the internet from the ASA box,I can ping public networks from the console of the ASA box,but cannot access public hosts from internal hosts connecting via the ASA box.Find my config below to know what i ahave omitted or committed.
[code]...
View 5 Replies
View Related
Oct 18, 2011
Im running ASA 8.0(3) on Active/StandBy failover pair.Last night I realized the CPU usage of my production ASA was 99%,,, on the ASDM Firewall Dashboard I can see counters like this:
Dropped Packet Rate (ACL Dropped) = 6000+ (more than 6 thousand)
Scanning Attacks = 18600+ (more than Eighteen thousand)
I went on the ASDM and checked the RealTime Log viewer and I have about 30 entries per second of these:
4Oct 19 201111:35:12401004Shunned packet: 10.64.10.1 ==> 10.64.0.1 on interface NewLAN
[code]...
View 1 Replies
View Related
Feb 9, 2012
I have a rule which permits traffic to a web server and logging is enabled. But when I go to syslog I am only seeing traffic which has been denied. What needs to change to be able to see the logged traffic on permit rules?
View 1 Replies
View Related
Feb 20, 2012
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
View 1 Replies
View Related
May 10, 2011
I have cisco ASA 5510 with ios version 7.07 & all users are browsing the internet via PAT through ASA. i want to block some sites/URLs like facebook, yahoo etc.
View 2 Replies
View Related
Jul 29, 2012
I am seeing the following error on my Cisco ASA 5510 running 8.4(4):Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.1.0.8/1798 dst inside:10.1.0.14/25 denied due to NAT reverse path failure .Doing research I see there are plenty of nonat statements regarding connecting from one interface to another, but why am I seeing this error on the same interface.All our servers are connected via a Cisco 3750G switch with a very basic config. Why is the firewall interjecting itself and causing these issues?
View 8 Replies
View Related
Dec 13, 2010
I have a Cisco ASA 5510. I have detected an infected workstation on my internal LAN which has caused my IP to be blacklisted by Barracuda Networks and other RBL. I have scanned and cleaned the workstation removing the spambot. I want to prevent all my internal workstations from sending SMTP traffic on Port 25 through my ASA 5510 device. I only need to allow my Exchange Server access to send out traffic on port 25. configure this setup using ASDM 5.0? I know it may be easier using CLI, but using the ASDM would really be preferred.
View 4 Replies
View Related
Nov 16, 2011
How to block a single website, but I want to do the opposite. I would like to block all website except for a handful of them. Any example configs?
View 3 Replies
View Related
Sep 10, 2012
We have a Cisco ASA 5510 with a CSC SSM 20 module installed. As of this morning a valid site (Public School System) is being blocked at my site. It says the site is of High risk. I have tried entering the site in the block list exceptions but it still comes up as a high risk site.
View 2 Replies
View Related
Jan 30, 2013
I'm trying to configure a simple ACL to block smtp traffic from leaving my LAN -- basically prevent internal users from setting up internet email accounts in their email clients and sending through that smtp server. i want my Exchange server only to send smtp traffic. here's what i have:
-access-list 102 extended permit tcp host 10.10.1.29 eq smtp any eq smtp <===10.10.1.29 is Exchange
-access-list 102 extended deny tcp any eq smtp any eq smtp
-access-list 102 extended permit ip any any
-access-group 102 in interface inside
after i apply this ACL to the ASA, i am still able to send from my internet email address setup in Outlook using my "foreign" smtp server.
View 1 Replies
View Related
Jul 8, 2012
We have a Cisco ASA 5510 with a CSC SSM 20 module installed. As of this morning a valid site (Public School System) is being blocked at my site. It says the site is of High risk. I have tried entering the site in the block list exceptions but it still comes up as a high risk site...
View 1 Replies
View Related
Mar 5, 2013
I am trying to add 89,462+ access list rules to an ASA 5510 running 8.2(5). I have added all the rules to an object group and when I try to apply the access list to an interface it gives me the following error:
ERROR: Cannot add policy to rule engine ERROR: Unable to assign access-list wan-out to interface wan
I have not tried not using an object group and just putting the rules in the access list. I want to be able to add to these rules if needed easily.
I think it's clear that i have exceeded the rule limit for the ASA. So my question is, what is the rule limit for an ASA 5510 and which ASA could I purchase that would handle this amount of rules?
View 1 Replies
View Related
Nov 26, 2012
I am attempting to block outbound traffic for a specific PC on my LAN using the ASDM.
View 2 Replies
View Related
Sep 25, 2012
This does seem correct. I had 2 rules and now they are gone.
View 2 Replies
View Related
Aug 25, 2012
I'm working with an ACS 5.3 and ASA 8.2.5 and i've configured several access services for webvpn and ipsec remote access profiles but i haven't found which radius attribute can differentiate among them in the service selection rules.
View 5 Replies
View Related
Feb 5, 2013
"The service provider in your current location is restricting access to the InternetYou need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."We are using an Internal IP....and the external, same resultI am the IT Admin and this was working last week till I upgraded to the newer anyconnect. Internet is just fine....I am at a loss.
View 7 Replies
View Related
Oct 23, 2011
We are evaluating Cisco ACS 5.2 and I can not delete a service policy that was created. The message we receive is " the item that you are trying to delete is being referenced by other items". I am new to ACS, but I did go through each tab in the manager multiple times.
View 5 Replies
View Related
Nov 30, 2011
I encountered this problem with cisco 870 atm interface. I applied service-policy output, its being accepted but when you do a show run interface, it's not there.
View 5 Replies
View Related
Apr 8, 2011
I am Using Windows 7 32-Bit, and my Network usually works fine, and my internet has been working fine up until recently. However about a month (maybe more) I noticed a problem that kept cutting me off occasionally and said Diagnostic Policy was not started, I troubleshooted it and it was fine. Much more recently this has been happening more frequently and troubleshooting it doesn't solve the problem. I can get online for 10-15 Mins then I am cut off again. Restarting the computer often fixes it but not always. I went to Services and found the Diagnostic Policy Service is not running, I press start and receive this error message.
The Diagnostic Policy Service service on local computer started and then stopped. Some services stop automatically if they are not in use by services or programs.I am quite sure my loss of Internet is due to this as this is a network related service and what the troubleshooter always finds to be the problem. Other Computer/Devices in the house connect to the internet fine with no loss of connection so it has nothing to do with that. I have tried various fixes like uninstalling network adapter drivers, and checking permissions in Registry but it has not worked.
View 4 Replies
View Related
Sep 30, 2011
I have an RV110W running firmware version 1.0.1.6 and I am trying to figure out how to enable website blocking in the Internet Access Policy screen. The Add Row button is grayed out in that section, as are the associated checkboxes.
Is there something else one needs to do to enable this feature?
If I set a name etc. at the top, and click save, it tells me "You must at least set a website blocking or PCs rule," so it is not the case that one has to save some information before continuing!
View 10 Replies
View Related
Feb 20, 2013
I have a asa 5510 vpn client groups configured and connected to the internal network DHCP server stops giving network service dhcp and the network goes down.
View 6 Replies
View Related
Jan 10, 2013
I have the following scenario: Pair of Cisco 887VA routers acting as Layer 3 for Voice/Data VLANs with a pair of 2960 LAN Base switches acting as Cores and possibly then 2960 LAN Lites hanging off them as access switches. Our Service Provider has provided an example config where the class-maps match based on dscp values for the QOS policy applied to the DSL circuits. We can obviously trust the attached phones but I want to be able to mark data traffic on my core switches based on destination IP/port to allow application definition. My major question is can I have a service policy on my Layer 2 uplinks to the routers where the linked classes setting dscp vlaues are based on class-maps matching on the contents of IP access lists based while at the same time not remarking the EF marked packets from the phones?
View 7 Replies
View Related
