ASA email alerting

Unanswered Question
Apr 9th, 2010
User Badges:

Hello,


I have been asked to provide a method of being emailed should a persistant public IP be trying to access out external IP of our ASA, are their anyways of doig this?  I don't want to get an email if one or 2 hits form the same IP are "seen" but if there are 40-50 from the same suggesting some sort of penetration activity?


I've got some of the alerts going to my syslog server (solarwinds) but it can't do anything clever.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Fri, 04/09/2010 - 01:59
User Badges:
  • Cisco Employee,

Unfortunately not a supported feature on ASA.


ASA can only send email notifications for syslog messages on specific syslog severity.

Andy White Fri, 04/09/2010 - 02:26
User Badges:

Looks like my syslog viewer can do some sort of email alerting, I can see message type "ASA-1-710003" appear and I now get an email, but I need to suppress it somehow.


What I don't understand is I get syslog alerts for denied access to our ASA, but we have other devices with public IP's that are NAT'd to their private addresses that I don't get denies from, it this down tot he device behind the NAT or shoudl the firewall also pickup these denies?

Jennifer Halim Fri, 04/09/2010 - 02:47
User Badges:
  • Cisco Employee,

I assume the deny access would be syslog from access-list on interfaces.

Andy White Fri, 04/09/2010 - 05:07
User Badges:

For example we have a few public IP addresses going to web servers behind the firewall, I need a deny message to be sent our syslog server should the attempt be anything other that port 80. How can I achieve this?


What is strange also if I try and telnet to our ASA over the internet on port 80 or 23 I get a deny message sent to the syslog server but if I telnet on any other random port I don't get a deny log, it gets blocked but that's it I need to record this and for the other servers.


Thanks

Kureli Sankar Fri, 04/09/2010 - 20:59
User Badges:
  • Cisco Employee,

This is not possible. These will be dropped by the firewall. You can see these in the asp drop captures.


cap capasp type asp-drop all


sh cap capasp


What is configured to be alllowed - will send syslogs if tried to be accessed by some IP that is not allowed.


What is not even configured when tried to be accessed - the firewall just drops these packets and not log.


-KS

Andy White Fri, 04/09/2010 - 23:58
User Badges:

Thanks, how can I tell if we are being targeted from an external IP on the outside interface lots of the time?


If I run your capture command will it show all drops from all interfaces or just the outside interface?

Kureli Sankar Sat, 04/10/2010 - 05:27
User Badges:
  • Cisco Employee,

That is correct. ASP drop will show all drops - all interfaces.

for example.


I have asdm/443, telnet and ssh allowed on my firewall. I tried a telnet to port 556 from the outside and the asp drop captures shows below:


ASA# sh cap capasp | i 556
   2: 23:16:44.371425 802.1Q vlan#10 P0 10.117.14.69.58538 > 172.18.254.34.556: S 3707472990:3707472990(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
  21: 23:16:54.769003 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
  23: 23:16:55.677500 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
  26: 23:16:56.680323 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535


All SYNs from my outside client are dropped.


-KS

Andy White Sun, 04/11/2010 - 00:01
User Badges:

Anyway this can be outputted to a syslog server?


How would a company know if they are being hacked, I know the firewall is dropping the packets, but somebody could be trying for weeks and I wouldn't even know?

Andy White Sun, 04/11/2010 - 08:56
User Badges:

Thanks. I do have the IPS module installed but again I think it only logs on allowed traffic passing through the firewall.

Kureli Sankar Sun, 04/11/2010 - 14:11
User Badges:
  • Cisco Employee,

NO. You can do a few things with an IPS/IDS device


a. Deny Attacker Inline - Create an ACL that denies all traffic from the suspected source IP address

  b. Deny connection Inline - Send resets to terminate the TCP flow

  c. Deny packet Inline - Do not transmit the packet (inline only)

  d. Produce Alert - Generate an alarm message

  e. Reset TCP connection - Drop the packet and all future packets from the TCP flow


Read about it here: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html


Figure 59-1 shows the traffic flow when running the AIP SSM/SSC in inline mode. In this example, the AIP SSM/SSC automatically blocks traffic that it identified as an attack. All other traffic is forwarded through the adaptive security appliance.


-KS

Andy White Mon, 04/12/2010 - 02:30
User Badges:

This is what we have configured.


policy-map global_policy
class myipsclass
  ips inline fail-open sensor vs0


I asked TAC about the report and they also say I can't do it.  Is this do to me using "ips inline fail-open" and not one of the other options you mentioned?

Actions

This Discussion