Cisco Firewall :: Attacks That Simply Overload ASA 5505
May 6, 2013
We have an ASA 5505 and we keep getting short bursts of ICMP packets (5000 in one second) They will do this and it just simply overloads the ASA and it crashes.Is this since it is 1000 past the 4000 connections per second capacity of the ASA 5505 or do we have a setting wrong some place that could prevent this type of overload from happening? We are looking to prevent DoS and other attacks that prevent even a short loss of connection since the servers are getting attacked daily and we have voice streaming on through the ASA. [code]
My collegue and I have been trying to figure out why we are unable to get this ASA to NAT Overload correctly. I'm sure it is something stupid, and the config may have gotten a little dirty as we tried to change options and make it work. FYI, we can ssh from the WAN into the device to configure it. It is communicating externally, but it isn't natting.
There is a new office which is going to be on a separate internal subnet (192.168.254.x), and need this to be port address translated to one public address (212.23.51.108). Ive given it a go on the ASA5510, but not sure if Im doing this right.
3 of the internal addresses need port redirection:
192.168.254.10 - public port 33510 - private port 3389 192.168.254.11 - public port 9940 - private port 443 192.168.254.173 - public port 3390 - private port 3389 port 80 and 443 opened for 192.168.254.10
I have a test pc setup and connected to the internal 192.168.254.0 network (gave it static of 192.168.254.10), it is reaching the internet, and its public IP is seen as 212.23.51.108, however how do I test to see if port 80 or 443 is open for this ip?
Tried using the cli but gave up and looked at doing int in ASDM, however cant see the option in ASDM for NAT overload, so ive tried configuring this with Dynamic NAT which looks about right.....
This is the relevant config so far as far as I can see.
I was just checking my router's firewall log and I noticed a couple of entries which appear somewhat suspicious, amongst all the 'normal' background radiation of (mainly) Russian and Chinese IPs: [code] The source IP for these 'attacks' is/was unused on my internal network.
My router is a Billion BiPAC 7800N running 1.06e firmware. There are a number of devices permanently connected to the internal network and a number which are connected at other times (e.g. desktops, laptops, mobile/cell phones, games consoles). Some are wired, some are wireless. Some have static IPs (none of which are listed in the above 'attacks'), some have dynamic IPs (assigned by DHCP by the router in a range not listed above). The WiFi is secured with a strong key on WPA/WPA2-PSK, AES (no WPS). Web Access Control for the router is disabled. Block WAN PING (and Block WAN (IPv6) PING) are both enabled.
I've noticed in the mornings lately when I get up around 6 am my internet will not work. Not on wireless or on my desktop. I decided I'd log into the router to see if there was a firmware update or anything. I had checked the logs and there are quite a few entries relating to DoS. I googled around and saw that it could be some sort of packet loss and the router is mistaking it for some sort of DoS attack. And that due to it not showing up multiple times every second it likely isn't a DoS attack. Here is a few from the logs:
i can detect the IP of DDOS attacks and if there's a simple way to prevent it. I've heard different suggestions from blocking incoming ping requests to blocking specific IP ranges
I have 3 versions of Net framework(2.0sp2, 3.5sp1, and 4.0) on my system Secunia wants all 3 versions updated.I am not for sure where they came from.can I delete NF2.0sp2 and 3.5sp1 and simply run with 4.0?
I am attempting to configure a Cisco 2901 router using IOS 15 to properly perform NAT/PAT translation between LAN and the internet connection. I've configured DHCP pool for the local interface (GigabitEthernet0/1), which works properly. The WAN interface (GigabitEthernet0/0) is configured to obtain its own IP by DHCP from the ISP. I can work on the LAN computers and I can access the internet directly from the router (using, for example, telnet and router's ping commands). The problem is, NAT does not work properly and connection from the LAN interface does not reach the WAN interface.
The DIR-825 wireless simply doesn't work. When I called tech support, we cleared some settings and hard-powered the unit on/off and it finally turned on the wireless radio. A couple weeks later I pull out my laptop to use in the house via wireless and the wireless on the DIR-825 is OFFLINE AGAIN...fallen and it can't get UP.Is anyone having issues with keeping their wireless online? OK - powered it off for 5 minutes...now the wireless is working. I think changing configuration settings causes the thing to lock up.
We are finding the price for ASA 5505 to high and our clients are having problem securing budgets for these devices. We don't want to move to different vendors and we have a team of people we already know Cisco well.I have seen Cisco router 877 which have the ipadvance ios, is this the same as the ASA5505.We would like to offer our clients an alternative to ASA5505, but something which can do the same as a edge device but also protect the client from malicious attacks and has CLI.
I have a cisco 2821 router. I currently have it setup to accept vpn connections from a cisco client which uses the 172.16.4.0 subjet for vpn connections. I also have nat overload setup for my local lan of the router so my internal servers on the 172.16.3.0 subnet can reach the internet. Every thing works great for that setup.However I have tried several methods I found for split tunneling and they have weird problems with the nat overload in place. If I take away nat overload the split tunneling works. If I take away split tunneling the nat overload works. I can't seem to get them to work at the same time.Config is below. This is the vpn/nat overload config with no split tunnel.
Current configuration : 2236 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption
I use a C892 router with the IOS c890-universalk9-mz.152-1.T.bin. I just ran the command "debug ip packet 151 detail" and then the router stopped to work because it was overloaded. The ACL151 I used is as follow:
Extended IP access list 151 10 permit ip host 10.1.1.1 host 91.1.1.1 In the syslog then I got hundred of messages from IPSec: Jan 11 09:43:35.677: IP: s=10.80.10.254, d=10.64.19.99, pak 8A7453CC consumed in output feature , packet consumed, IPSec: to crypto engine(70), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
[code]....
For me it seems just like that this ACL is not applied and that I have a debug then for the whole traffic.
We have been deploying Cisco SF200-24P switches for our systems for over a year now. They connect to a Cisco 881 router. In many cases we are also deploying Cisco AP541s.Over the last few months, on an intermittent basis, the switches will simply freeze, blocking all traffic flow. The power LED also goes dark. It appears the switch has frozen. The only thing that seems to revive the switch is a hard reboot by pulling the power cord. In the last couple of weeks, one site in particular has gone down a handful of times. That client of our is fed up. Our patience is running thin too.
I cannot see any indications in the logs to any event that might give a clue as to the problem. We definitely see this problem with the 1.2.7.76 firmware and the 1.2.9.44 (latest as of typing this). Not sure if with earlier 1.1.2 firmware.Without a fix, we likely will have to change switches and possibly vendors as we need a reliable switch.I see some vague references to a similar problem. And one reference to a SG300 series having what sounds like the same issue.
I can't connect to the internet through Google chrome or explorer, pages simply won't load.
-can't ping the pc from other pc but can ping the modem - internet shows connected and receiving data - all connections tight - internet/wireless modem working fine working fine with my other pc/laptop - all other programs on the pc seem to work fine - I have changed no settings on the pc since I last used it and the internet - I had not used the internet in approx 2 months on the problem pc - I tried turning off the firewall. - running XP
I have the latest firmware, have the settings correct (the UPnP is disabled and whatever)
Model number: E3000 Serial number: CVQ01KC13100 Firmware version: 1.0.04 build 6 Operating system: Windows 7 SP 1 Software version: 1.3.11006.1 Connection type (WAN): PPPoE
Went out of town 2 weeks in March, and all through April didn't have any disconnects. Have had this problem since I got it, it gets really bad from time to time (like now). Thought it was my provider for the longest time, but found out if I connect via wired, no disconnects! Is re-flash simply downloading and installing firmware?
Earlier today I attempted to change the setting on my Westell 6100 modem such that it would simply bridge the connection to my Linksys WRT54GS router, basically involving setting the router to bridge only and turning DHCP off. Now I no longer get an internet connection through my router when previously the connection had worked perfectly fine before. I following the steps of cloning the MAC address to the router and have done the proper resetting steps (computer, them router, then modem) but I simply can't get an internet connection through my router. The process to set up simple bridging from the modem what supposed to end up with the internet light no longer turning on but the light turned back on following one of the resets.
Currently, I can connect to the internet through the modem just fine but I get nothing when I include the router. I'm not sure if there are some other settings I'm supposed to be changing as I can't seem to find anything past what I've already done when researching online. At this point I would just be happy reverting the settings I've changed but I don't know how to access the modem now that DHCP is off.Basically, I'd prefer to be able to get the router working with these new settings but if that proves too difficult (as I've heard it can be when trying to get Westell modems to work with Linksys routers) I'd like to learn how to access the modem and change the settings back to what they were (preferably in as simple terms as possible as I don't particularly understand what a lot of these settings/configurations do).(And a bit of an aside, but I had attempted to do this modem bridging to "fix" perceived internet speed problems. I've been averaging around 300Kbps download rates ever since I've had this internet connection from Verizon when the supposed download rates should be between 1MB and 1.3MB. Doing this modem bridging had been reported to fix some modem/router conflicts and improved connection speeds for some.)
If your wireless indicator is flashing red when you discover the smurf, it can mean that someone has tried to logon with an incorrect password. this is not necessarily an attack, it could be someone you have allowed access too, who has forgotten the password? In this case entering the correct password will solve the problem.However putting your own MAC address into the filter will simply block your own machine.
We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
setting up an ASA 5505 to be used as a firewall between a BT internet router(BTNet service) and a Cisco 3560 Lan switch. BT have presented me with a cisco 3800 series router with the following details:
Network Address Network Mask BTnet NTE Router LAN Address
There are 2 Gigethernet ports on the back of the router port Ge0/0 is connected to the BT NTE and the status light is flashing green. Int ge0/1 is connected into port int e0/1 of the ASA but i am unable to get any connection.
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
I have been working with ASA 5510,20,40,80 but not with 5505 this vlan and its interfaces are quite confusing.Just want to know how it works and its connectivity to Cisco Switch.Do i have to put the interface of the switch in the same vlan as i am creating the interface vlan in firewall ?Now the switch port connecting to this Eth1 interface should also be in the same vlan ? i.e vlan3 ?? or it will be in trunk ? The default configuration shows the eth0 with no access vlan and interface eth1 with access vlan 2... does it mean the eth0 is in vlan1 ? (Nativ Vlan ) ???
I have a cisco asa 5505 firewall. Is it possible to block secure websites in it like [URL]? I have already tried regular expression filtering but it filters only http traffic.
I am trying to configure our ASA 5505 so that our users can access our ftp site using [URL] while inside the firewall. Our ftp site is setup so that you can reach it by either browsing to the above url or by browsing to ftp://99.23.119.78 but we are unable to access our ftp site from either route while inside the firewall. We can access our ftp site using the internal ip address of 192.168.1.3.
Here is our current confguration:
Result of the command: "show running-config" : Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif ATTsecurity-level 0pppoe client vpdn group ATTip address pppoe setroute !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveobject-group service DM_INLINE_TCP_1 tcpport-object eq ftpport-object eq ftp-dataport-object eq wwwaccess-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1 access-list ATT_access_in extended permit tcp any interface ATT eq ftp access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data access-list ATT_access_in extended permit tcp any interface ATT eq www access-list 100 extended permit tcp any interface ATT eq ftp
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
-Single static public IP: 16.2.3.4 -Need to PAT several ports to three separate servers behind firewall -One server houses email, pptp server, ftp server and web services: 10.1.20.91 -One server houses drac management (port 445): 10.1.20.92 -One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]
I'm integrating a Cisco ASA5505 with a Websense proxy. I have a configuration setup where we have four routers which are used for Internet access. There are two VLAN's - Guest and Private. What I would like to achieve is making the use of available bandwidth by load distribution via GLBP, and filtering users web traffic. Two routers will be used for a GLBP group in one VLAN, and the other two routers will be used for GLBP in another VLAN.The users are connected to a Cisco 2960 switch and are in their respective VLAN's. I'm planning a 802.1q trunk to a Cisco ASA from the 2960 switch, carrying both VLAN's.What I would like to know is if there is a CSC module (or similar) which has Websense installed on it, and if it is possible to setup the ASA5505 in transparent mode to filter the traffic in this way? Hopefully this would allow multiple users to take advantage of the additional bandwidth, and not be restricted by using a traditional proxy setup which where all web traffic would be originating from a single MAC address.
