Cisco Firewall :: ASA 5520 - Threat Detection Provoke Frequent Disconnections On Allowed Traffic?
Jul 17, 2011
Can threat detection provoke frequent disconnections on allowed traffic?We are using asa 5520 with 8.3.1 IOS For instance in ASDM we see SYN attack messages .The source ip address correspond to external an external host (in the outside interface) wich is allowed to connect to internal servers(in the internal interfaces).
Our threat conf is as follow:
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
[code]....
View 11 Replies
ADVERTISEMENT
Apr 15, 2012
I am interested in gathering cumulative threat-detection statistics from an ASA running 8.3, and displaying number of attacks over time. I am already capturing traffic information via netflow, but am interested in getting threat information.
Is there a way to capture the statistics via SNMP or any other method?
View 3 Replies
View Related
Dec 29, 2012
We have a 5585X running in multi context mode, and we are getting log entries for scanning threat detection, such as:
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3116
Threat detection is not supported in multi context mode so I cannot tune the thresholds, is there any way that I can get rid of this outside of messing about with logging levels/message IDs?
View 2 Replies
View Related
Feb 18, 2013
- Small Home-Office network based on a Cisco WRV210 VPN Router connected to another WRV210 in a remote location.
- The WRV210 provides 2 WAP-protected SSIDs, one for the office network and one for visitors
- Wireless channel is set 5 channels away of the closest networks (using inSSIDer)
- There are about 12 wireless devices, 4 connected to the office network the rest to visitors. Not all devices are connected at the time of failure. All wireless devices use DHCP which is set to last 1 day and provide 100 IPs.
- The wireless devices are 1 desktop, 3 notebooks (all clean), iPads, iTouch and Nook.
- The failure symptom is that almost daily, and most likely around the same time, no wireless device can connect to any of the SSIDs unless the router is power-cycled. During the failures, which we have witnessed first hand, there are no apparent reasons: no new SSIDs, now SSID in close range on the same channels, nothing we can easily observed in the network in terms of connections or unusual activity.
- A weirdo also presented by the WRV210 was that its web pages were shown erratically. That was corrected by downgrading the firmware from the latest to previous version.
We have used a loaner Linksys router WRT54GC with only the visitor Network on it and even though the situation is not as frequent, it has happened already a couple of times.The WRV210 is out of warranty and discontinued, so we get no support from Cisco that is worth paying for.
View 1 Replies
View Related
Aug 10, 2011
i allowed one of internal ip using static nat and public ip is 203.18.137.22 and i want to check which IP are hit this public ip ?Is there is any command to check which ip is hitting 203.18.137.22? I have the cisco 5520 asa firewall.
View 6 Replies
View Related
Apr 20, 2013
Port forwarding done to a DMZ located server on the cisco ASA 5520. Now this host cannot browse but allowed outside to inside access is possible Is there anyway i can give this system to browse internet? may be through the natted IP ( 94.20.*.*)
View 2 Replies
View Related
Jul 29, 2011
i have reviewed this configuration a couple of times and I am not seeing my error. I have two internal subnets, in different VLANs with the ASA being the default router. The internal zone works fine, but the zone called wireless on VLAN 13 doesn't. The firewall blocks all communications and the rules look correct to me. I want all traffic on this wireless subnet to be allowed to cross over the firewall and NAT to the outside interface, just as the inside zone does.
View 1 Replies
View Related
Apr 29, 2012
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
View 2 Replies
View Related
Oct 22, 2011
I have a simple question regarding dead peer detection on the ASA 5520. I am using a cellular VPN device to connect back to an ASA 5520 and I have noticed that the connection drops at random periods during the day. The vendor for the cellular device recommends disabling dead peer detection on their device, which I have done. The question is, where is this disabled on the ASA? is it the IKE Keepalive setting under the tunnel group option?
View 1 Replies
View Related
Mar 27, 2013
We have set of PC's who will be connecting either RA IPsec or SSL VPN to another location. On our site, our perimeter device is an ASA 5520 8.2(3). The interfaces on this ASA doesn't have Access Lists applied, so from what I understand, there is a default policy applied globally (class-default). Now my question is: If we set up vpn clients on our pc, are the ports used by the clients to the VPN server allowed by default or do we need to tweak the class-default?
View 6 Replies
View Related
Apr 8, 2011
Our Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
2011-04-09 16:15:09 Local4.Info 172.16.1.68 %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:68.22.26.66/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653
View 1 Replies
View Related
Nov 12, 2012
A friend bought an Inspiron 15R 5520 earlier this week & is experiencing poor signal strength & frequent drop outs. I took my Inspiron 15R 5110 to her place, connected to her wireless network & had no problems at all ... good to excellent signal speed & no drop outs.
View 5 Replies
View Related
Nov 1, 2012
We just migrated from a single 5510 to a dual (failover) 5520, It seems that everything is working except the remote VPN. We can establish a tunnel and authenticate as local users, (going to LDAP when all is working) but no traffic is passing. I know I am overlooking something but cant see it. [code]
View 12 Replies
View Related
Jun 12, 2011
Our ASA 5520 firewall is running 8.0(4) IOS.I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.The security level on the ENG interface is set at 50.The security level on the destination interface PRODUCTION is set at 40.Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).
View 4 Replies
View Related
Dec 1, 2011
I have a Cisco ASA 5520 (8.0) and I'm trying to figure out how to prioritize traffic to specific websites (by either domain names or IP addresses/ranges). This document [URL] has some great examples, but I'm not able to create a class-map that will match addresses. I'm not doing any other traffic manipulation on this ASA.
View 1 Replies
View Related
Dec 20, 2011
We can´t reach DMZ servers from other DMZ servers?If I make a ping from DMZ server to another, sometimes only recieve one ping, sometimes 4, sometimes 0.How can I allow the traffic between DMZ servers??
(ASA 5520 Version 8.4)
View 2 Replies
View Related
Mar 2, 2011
I am setting up a pair of 5520 in A/S mode but the traffic from inside to outside seems blocked somehow.
asa01# sh run : Saved
ASA Version 8.3(1)
host name asa01
enable password LFJ8dTG1HExu/pWQ encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
[code]......
Base on the above configuration, I still cannot ping or HTTP.
View 10 Replies
View Related
Aug 23, 2011
We have a 100 Mbps WAN circuit, we have configured an IPsec tunnel between ASA 5520 and Cisco 3845 Router for our DR site replication via Veeam Backup and Replication, it was working fine before, when we established the 3DES tunnel the traffic for certain subnets is dropped after an hour and it stops the replication, although tunnel remains up and we can access the other subnets, as soon as we clear the crypto SA and ISAKMP sessions on the firewall the traffic starts flowing again and then after an hour the traffic is dropped again.So far the testing and differnet configurations we tried are as under.
Tried with a different MTU size both on firewall and ESXi servers but nothing happened.Their is no QOS configuration.Checked the utilization on both ends its Noram although their are subsequent 100% spikes on Cisco 3845 but on average it remians at 30-40%.
View 6 Replies
View Related
Dec 12, 2012
I was configure 3 interface on ASA1st - managemetn (only for management)2nd - gig0/0 is connected to internet with real IP3rd - gig0/1 is connected to local networkI was configure routed NAT to internet.But I have problem with restriction incomming traffic to inside interface (ifname is inside)but I can connect to ip address of inside interface from other ip. It is wrong and i can't understand where is my mistake.
View 2 Replies
View Related
Mar 20, 2013
How can I see the quantity of traffic that is passing through into an IPSec VPN in a ASA 5520.
View 3 Replies
View Related
Nov 27, 2011
I am trying to make a basic config on my 5520. The first goal is to make trafic from inside to outside.The internet address is 64.28.29.200 and the default internet gw is 64.28.20.193What am I missing since I can not get trafic from inside to the internet? [code]
View 10 Replies
View Related
Apr 4, 2013
We've got a proyect that requires a few thin clients to connect to a remote PCoIP server.
Looking to the documentation, the only port required to be open through Firewalls is TCP/UDP 4172, however, we've seen (making interface captures) that it somehow also uses ESP (IP protocol 50).
We've got a static NAT translation translating those thin clients to a public IP address, we've created ACLs to allow inbound (shouldn't be necessary as our user is connecting to a remote server) and outbound traffic for TCP/UDP 4172 and ESP and I cannot make it work.
I've also enabled IPSec pass-through Inspection to no avail.
how should we configure our ASA to enable this kind of traffic?
View 4 Replies
View Related
Jun 14, 2012
I am installing an ASA 5520 and I have a problem on accepring the incoming traffic from an external office connected via Frame Relay.
On my OUTSIDE interface I have both the internet traffic and the external office traffic incoming. What comes from the external office is visible as 10.1.0.0/16.
I have to allow this traffic to enter the internal network, without any control. I would also keep the original IP address.
I have configured the Firewall but I don't know how to setup the NAT.
View 2 Replies
View Related
Jun 28, 2011
When I try to configure the Botnet Traffic filter with the commad "dynamic-filter use database" through the ASDM I get the following error message.
[ERROR] dynamic-filter use-database Dynamic Filter: New data file not terminated with newline
View 14 Replies
View Related
Jun 20, 2011
I have installed asa 5520 , software ver is 8.4,I have SSM-20 installed in asa 5520. How to pass traffic through this ssm-20 ,how to create sensors,how to update signatures of this IPS module ,is there any procedure to automatically update the signatures .
View 1 Replies
View Related
Apr 6, 2011
I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network? I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world. I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.
View 2 Replies
View Related
May 14, 2012
how can i check that ASA is passing traffic? Also what command we can use to make sure VPN is working fine.
View 2 Replies
View Related
Sep 26, 2011
i have an ASA 5520 8.4(1) with following config
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address 216.52.185.33 255.255.255.240 standby 216.52.185.34
!
i need traffic (port 9350) from DMZ and WAN forwarded to object Production_23 port 3389, how do i achieve this ?
View 1 Replies
View Related
Apr 5, 2011
I hava Cisco ASA 5520 with AIP-SSM module. I would like to have the below features with ASA installed in Transparent mode.
1. Traffic shapping per user
2. Traffic shapping per IP subnet
3. Traffic shapping per Application
Is it possible with ASA installed in Transparent mode?
View 9 Replies
View Related
Nov 3, 2011
I have a client that has an ASA 5520 that has two internet connections, FIOS and Comcast. The ASA is configured to failover from the FIOS to the Comcast if the FIOS fails. This works perfectly fine. However, I was wondering if VPN and other inbound traffic will come into the secondary connection when it is active. I think VPN will work inbound when the FIOS connection fails, but I am not sure about the other inbound connections.
View 1 Replies
View Related
Jun 1, 2011
I'm trying to route all default traffic from my production environment through my ASA 5520 on the "outside2" interface.The 5520 has a site to site VPN to our DR site on the "outside/inside" interfaces via one ISP. On another ISP, interfaces "outside2/inside2" go to the internet.
When I make my 3750 stack default route for the inside2 interface IP I cannot get to the internet. When it is pointed to the inside interface on my 5505, I can.
I get the following errors when I try to open google.com from a production server:Why is the 5520 trying to use the "outside" interface instead of the "outside2" interface to go out?
View 6 Replies
View Related
Apr 2, 2012
My internet link is connected on Internet Router & below downwards Cisco ASA 5520 is connected.ASA is connected with core switch cisco 4510 on downwards. our web based mail [URL] is hosted outside.
Lets suppose ISP pool is 4.4.4.0/28.suppose owa server is Static natted on ASA with 4.4.4.4. my machine traffic is going to internet with same ISP with PAT on Cisco ASA & internet is working on my machine. if i want to access {URL} or ip base for mail access, its not working & also it is not pinging. i suppose to ASA is blocking for returning traffic.
is there any way to traffic will go via same Firewall & comeback on same firewall port?
View 1 Replies
View Related
Dec 5, 2012
I am currently testing Netflow accuracy on my Solarwinds platform. So I have been transferring a large file across an ASA 5520, which is set up to send Netflow data to out Solarwinds server.
The problem is that the Netflow data does not show up on Solarwinds for about 2.5 hours. Once it gets there the size is correct, but the time stamp on Solarwinds is 2.5 hours behind when the transfer happened. For routers it is showing up within a few minutes.
ASA is running 8.2(5) and Solarwinds NTA 3.9.0. Firewall and Solarwinds times / timezones are the same.
View 8 Replies
View Related