Cisco Firewall :: PIX 525 Anti-Spoofing Attack Protection
Mar 19, 2011
I have multiple questions about the PIX 525 software version 8.0(2) ASDM 6.0 (2)I am a windows network admin that is new to Cisco and routing in general. I have read through the forums and the Cisco documentation, but have not been able to fully understand the topics discussed within.
1. Anti-Spoofing Attack Protection
2. Scanning Threat Detection - Auto Shun
3. NTP Sync Verification
4. QoS implementation5. IOS and ASDM Backup
This option is currently DISSABLED for all interfaces.I know what ip address spoofing is, but what is the functionality of these options specifically? How does it work and should I enable it and for which interfaces? Second Question: Scanning Threat Detection - Auto Shun
I found this option in ASDM under: Configuration --> Firewall --> Threat Detection.Enable Basic Threat Detection and Enable Scanning Threat Detection are both currently ENABLED, but Shun Hosts detected by scanning threat is currently DISABLED. Also, the Networks Excluded from Shun field is empty. I know what the shun command does. I have used it many times when I have been fortunate enough to catch some piece of **** trying to spam my mail server or gain access to it.
What I am asking specifically is how does the Auto Shun work? Should I enable it and what are the potential consequences? Also, what exactly is a scanning attack?
I am not familiar enough with the PIX and with the topics discussed in the document to successfully apply the info within. Plus, I'm not sure it covers the kind of basic, all-inclusive bandwith cap I would like to put in place.
The goal is to cap the maximum internet (outside) bandwidth that inside5 can use to a reasonable percentage while allowing the other interfaces to have the remainder.
How would I go about this implementation? 2. Is there a way to allow inside1 - inside4 to use max bandwidth when there is no traffic on inside5?
I am probably, at least, the third owner of this device and I do not have an account with Cisco nor can my tiny (perhaps non-exsistant given the current economic state) IT budget afford any form of support or software licensing with them.My goal is to backup the IOS and ASDM data in the event that I have to replace the device due to a hardware failure.
I found a file transfer function within ASDM which allowed my to copy the files pix802.bin, asdm-602.bin and tfp from flash to my desktop computer. I also have a copy of the activation key info and my current configuration.
1. Have I backed up all the data/info I would need to restore this software and ASDM to another unit.
2. The activation key screen also has a serial number field. Is this the hardware serial number or is it for the software? and is it tied to this device specifically or can I use it to restore another unit if necessary?
3. Is there anything else I should do or be aware of regarding backup and restore for the PIX?
4. What is the tfp file?
View 1 Replies
ADVERTISEMENT
Apr 24, 2011
What is Anti Spoofing in ASA 5505. Can I enable it on ASA 5505. If yes , port will be inside or Outside. ? or both ?
View 1 Replies
View Related
May 30, 2011
We are runing PIX 535 with software version 8.02. In ASDM, I see anti-spoofing is diable in all interfaces. If I enable it, is there any negative effect? Can I enable it in DMZ, inside, and outside interfaces?
View 2 Replies
View Related
May 5, 2011
Is there any way to configure 3825 to ensure that all packets have a source IP address that matches the correct source interface (similar to ASA's 'ip verify reverse-path interface')? Currently, we manage anti spoofing with a bunch of ACLs, however I'm looking for a more manageable solution.
View 2 Replies
View Related
Jul 26, 2011
what is the function of anti static protection
View 1 Replies
View Related
Apr 15, 2013
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
View 1 Replies
View Related
May 28, 2013
After hours of trial and error, and searching user groups, I have found that on occasion, ASA v8.4 will stop pings with the IPsec-Spoofing logic. Interestingly, the packet-trace will say everything is allowed.
The fix (at least in my case, and one other) is to narrow the crypto-map to specific hosts, not subnets.
View 2 Replies
View Related
Dec 13, 2011
how to configure ASA 5510 anti X edition ? Can I have a link explaining the configuration step by step ?
View 2 Replies
View Related
Aug 11, 2011
tell me the command to view current anti-reply window size in ASA 5510?
View 7 Replies
View Related
Mar 27, 2011
We are getting continuously log created as below in ASA 5510. I suspect something is going wrong (like system is getting compromised ? )
Note: I have changed the actually public IP to 1.1.1.1 for some security cause.
Log..
Mar 18 21:46:19 124.153.100.44 Mar 18 2011 21:46:22: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1Mar 18 21:46:19 124.153.100.44 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1Mar 18 21:46:20 124.153.100.44 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1Mar 18 21:46:21 124.153.100.44 Mar 18 2011 21:46:24: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1(code)
View 3 Replies
View Related
Mar 21, 2013
We are getting below logs in our Syslog, how could i stop this."%ASA-2-106017: Deny IP due to Land Attack from 161.233.167.65 to 161.233.167.65 "
View 1 Replies
View Related
Sep 23, 2012
We need Solution for disabling Anti-Replay on the Firewall for a specific tunnel. ASA 8.4(2) ) does not support disabling Anti-Replay on specific Ipsec tunnel , is it true , then if we want to disable Anti-replay , what we have to do in ASA5540 .
View 4 Replies
View Related
Apr 12, 2011
I have a Cisco asa 5510. I am doing attack a my firewall, using n map. I am seeing in the log the attack but i like that firewall send only alarm of attack by email . I have active email with warning and i received very much email.
I observed that graph show attack, but not ip of attacker, is possible that Cisco asa show the ip too ? The log show scanning with n map but not shunning IP and not send alarm. How i can send alarm ? The graph no show ip, it's possible show it.
View 10 Replies
View Related
Sep 3, 2010
Does Cisco ASA5510 or 5520 can protect DDos attack and sync flood ?I have problem on this, so how can i protect on this, some time i saw on my log like this"sync flood " or "ddos to xxx.xxx.xxx.xxx" the ip address random .
View 7 Replies
View Related
Mar 7, 2012
-1x Cisco ASA5540
-1x Catalyst 3750x-48T (L3 Core Switch)
Id like to seek expertise on validating a simple firewall setup.
Do i trunk core switch traffic to the cisco ASA OR assign L3 link instead? It is basic understanding that the Cisco ASA is usually use for protection from our internet zone.A typical Cisco ASA setup would consist of outside, inside, dmz zone.
L3 core switch consist of 20 VLANS20 vlan needs to be blocked from each other. Eg Wireless Vlan does not have access to Server Vlan etc etc.
what is the best practise to filter ip address within vlan from reaching each other.Should i trunk all my vlan to the Cisco firewall? (For easy vlan restrictions: but is that best practise?)Or do ACL on the core switch itself? but what if i have tons of servers ip that needs specific ports blocking or etc.How would i be able to manage all my ACL on the core switch.
View 1 Replies
View Related
Mar 2, 2011
I want to make use of the SPI Firewall and DoS Protection features of the WAG320N. What are these for? How do you configure them on WAG320N?
View 1 Replies
View Related
Jul 1, 2011
url...I discovered that it would be possible to be protected from portscan, i mean when someone scan our nework/host from outside, the attacker will see all the 65535 ports as "open" (in that way it will be more difficult for an attacker to perform customized attacks...)So I have follow the setup in that link: policy-map global_policy class class-defaults set connection embryonic-conn-max 15 per-client-embryonic-max 3 service-policy global_policy global . The problem is that I don't have the exepected result..If i do a portscan over Internet from an external host to my hosts the portscan is successfully working and I can view my open ports...I have also tried to set this through a "match" in an access-list but without any sucess.
View 3 Replies
View Related
Oct 14, 2009
I'm about fed up with with having this issue that no one can seem to solve. It dates back to when I owned a WRT54G router. I started experiencing random disconnects with the router, both wired and wireless. I only owned the router a year and figured it was going bad.
So I purchased this WRT120N router late August. Soon after I set the router up, low and behold the same problem started. I've called my ISP a couple occasions and they tell me that everything is fine from their end. I've spoken with Linksys tech support on 3 seperate occasions. I have changed the MTU to 3 different values and upgraded the firmware. The 2nd support tech suggested that I do those two things. To my surprise this worked for 2 or 3 weeks with no problem. The same problem started again just last night disconnecting intermittingly. I spoke with another support tech and they suggested that disable the SPI Firewall protection and Anonymous internet request. That did not work for the brief time I had this disabled.
More into the problem, when it disconnects the modem seems fine but the activity light on it stops as it should. The router itself appears to reboot, then when it comes back up the connection restores. What could possibly cause this? I currently have version 1.0.02.This is getting very frustrating and I am getting very near not using Linksys/Cisco products any longer.
View 9 Replies
View Related
Oct 9, 2012
We want design a topology based on transparent proxies using WCCP. Our proxies can do spoofing of user ip addresses. So, the HTTP request will go out our network with the user ip address as source ip. The HTTP Response will arrive with destination address the user ip address. We want use WCCP to redirect inbound and outbound traffic because we have c3750 with L2 WCCP support. The outbound redirection, when the packet is going out our network is simple. But, the problem is the inbound redirection. How we redirect this packets to proxies by WCCP?. Is it possible?. This redirection is done by c3750 using TCAMs/hardware?. Our throughput could grow until 2-3Gbps and we are worried about the performance.
View 1 Replies
View Related
Jun 15, 2012
I just purchased a Sharp Aquos Quattron LC-70LE845U with SmartCentral user interface and I can not access any apps because I live in Puerto Rico which Sharp says is not part of the United States. I don't really care if it is or isn't but I do want to check out the apps because right now its not really a smart TV and I kinda feel a little jipped. Any way I want to spoof the IP to think that it is in the United States. However I don't think that I can go the software route because Sharp has its own operating system and browser so I don't know what would be compatible. I'm using a D-link DGL4100 router if that information is useful.
View 5 Replies
View Related
Mar 10, 2012
If I have an updated Antivirus in my network, do you still recommend having IPS installed in my network?
View 1 Replies
View Related
Mar 31, 2013
Region : India
Model : TD-W8951ND
Hardware Version : V4
Firmware Version :
ISP :
The product manual of TD-W8951ND V4 states that it's supports MAC spoofing. But in the product itself, it is nowhere to be found. I tried contacting the customer care via email but they are too lazy to respond. If they disabled this feature then why in the world they mentioned in the manual. I double checked the manual before buying this model. Now I stuck with it.
View 4 Replies
View Related
Aug 24, 2012
AV for SBS 2011 that also works with Exchange 2010? I found Trend Micro Worry-Free Business Security Advanced 7, but unfortunately it doesn't seem to have a free trial.
View 5 Replies
View Related
Feb 20, 2013
Region : Malaysia
Model : TD-W8951ND
Hardware Version : V5
Firmware Version : V5
ISP : Streamyx
TD-W8951ND V5 No longer have Mac Spoofing support.i just bought this modem since my old one is faulty. and i realize that my modem is V5 my previous modem is V4 and there is Mac Spoofing support there.
View 1 Replies
View Related
Apr 4, 2013
I have many VPN sites using ASA5505 with broadband connection and terminating on a single ASA5550.I have a problem with one site. they are having poor performance. One of the issues I can see is an error on the remote ASA 5505.ive tried the reccomended fix using this command: crypto ipsec security-association replay window-size 1024.
View 1 Replies
View Related
Sep 5, 2011
I plan buy a virtual dedicated server, well as for anti-virus for it I am lost where to look for and what exist [what search]? any open source? url..is enough or needed additionally and other tools? Needed and software firewall to install?
View 5 Replies
View Related
Feb 12, 2013
I manage a CISCO 4404 WLC with about 46 access points across our WAN. System works very well, serving trusted users, guests etc very well.However, over the last month or two we have had an issue where we have had high load on our WAN.We have traced this down to the CISCO 4404, about 3-4 times a day, the controller connects to every access point and transmits about 5-8mb of data on port 5427. This in itself would not be a problem, but it connects to all 46 at the same time.
View 13 Replies
View Related
Jun 29, 2012
I am wondering how to change my internet IP address as someone is DDOS attacking me on a daily basis. I have tried all the ipconfig stuff, and unplugged my modem for an hour. Not sure what to do at this point. Plugging my PC directly to the modem changes my IP, but then when I plug my PC back into my router, it changes back.
View 1 Replies
View Related
Feb 2, 2012
Is there anyway to block a DDOS attack? I dont know to much about DDOS attacks and how they work, but i think i understand a little bit of it. Is there no way to configure a firewall to detect rapid, spontaneous,continuous amounts of fragmented, random data coming from an IP address? Wouldn't the data coming in from a DDOS server be somewhat distinct from data that flows normally
View 19 Replies
View Related
Jan 21, 2011
I'm on my 3rd Virgin media 615 today, the last one arrived yesterday and I opened the box to fine a rev d with old bios installed, throw hands in air and all that and then proceeded to upgrade to 4.13 which I have found to be stable and work ok, the other two grow to have the wireless failure issue, I could moan here about VM but hey there's no point so I have come here for adviseafter I found the last one wireless going down, daily trips from the kids down to me to ask why the internet isn't working etc etc I started to investigate, I found the 4.13 and gened up a bit, looked at the 3rd party code and came back to Dlinks own code, anyway I have seen in the last few days hundreds of similar port scans. [code]
Now is the the router being a little sensitive to harmless software companys scans to see if products installed etc or are they something to worry about now I know whats going on if its the latter, and I don't think anyones got in yet but I would like to ban these ip's and to be honest I'm not sure of the best way also I noted a UDP active session that not a part of my subnet too mine being a standard 192.168.0.*and the other being 192.168.4.*.
View 3 Replies
View Related
Sep 12, 2012
We have a WLAN consisting of a WLC 4402 and 11 lightweight APs. For security/compliance reasons we have a Cisco PIX firewall that sits between the WLC (outside) and the APs (inside). The APs are allowed to form LWAPP tunnels through the firewall (inside access-list) to the WLC and the WLAN works as expected.The firewall then limits traffic from the WLAN (outside access list) to certain the internal systems.I have noticed that every so often the firewall logs show continuous "Land attack from 0.0.0.0 0.0.0.0" messages then all APs are disconnected (all lights flash).
View 2 Replies
View Related
Jan 6, 2012
Is the E1000 hw 2.1 with v2.1.02 susceptible to the WPS brute force attack like the E4200 is?
View 5 Replies
View Related
Oct 14, 2012
I study at University of Ostrava and currently I am working on my master thesis. Its content is realization of few attacks on network. Now I am trying to implement ICMP redirecting attack by using Intercepter program. Diagram of my netwok you can see on enclosed picture (Schema.jpg). Through Intercepter program I generate packets ICMP redirect (ICMP type 5), which are successfully sent from PC Attacker, but these packets do not arrive to PC Victim and Warshark shows me messages „ Destination Unreachable (Host Unrecheable).“ When I use instead of Cisco switch non Cisco switch (for example: Edimax) or hub, ICMP redirects packets arrive to PC Victim and I can continue in the attack?
SW:
Switch is in the defautl setting
Cisco Catalyst 2960 IOS: c2960-lanbasek9-mz.122-50.SE3.bin
Router:
Set only IP address on FastEthernet interfaces
Cisco 2801 IOS: 2801-ipbasek9-mz 124.25f.bin
View 11 Replies
View Related
