04-09-2010 01:42 AM - edited 03-11-2019 10:30 AM
Hello,
I have been asked to provide a method of being emailed should a persistant public IP be trying to access out external IP of our ASA, are their anyways of doig this? I don't want to get an email if one or 2 hits form the same IP are "seen" but if there are 40-50 from the same suggesting some sort of penetration activity?
I've got some of the alerts going to my syslog server (solarwinds) but it can't do anything clever.
04-09-2010 01:59 AM
Unfortunately not a supported feature on ASA.
ASA can only send email notifications for syslog messages on specific syslog severity.
04-09-2010 02:26 AM
Looks like my syslog viewer can do some sort of email alerting, I can see message type "ASA-1-710003" appear and I now get an email, but I need to suppress it somehow.
What I don't understand is I get syslog alerts for denied access to our ASA, but we have other devices with public IP's that are NAT'd to their private addresses that I don't get denies from, it this down tot he device behind the NAT or shoudl the firewall also pickup these denies?
04-09-2010 02:47 AM
I assume the deny access would be syslog from access-list on interfaces.
04-09-2010 02:57 AM
That is correct.
04-09-2010 05:07 AM
For example we have a few public IP addresses going to web servers behind the firewall, I need a deny message to be sent our syslog server should the attempt be anything other that port 80. How can I achieve this?
What is strange also if I try and telnet to our ASA over the internet on port 80 or 23 I get a deny message sent to the syslog server but if I telnet on any other random port I don't get a deny log, it gets blocked but that's it I need to record this and for the other servers.
Thanks
04-09-2010 08:59 PM
This is not possible. These will be dropped by the firewall. You can see these in the asp drop captures.
cap capasp type asp-drop all
sh cap capasp
What is configured to be alllowed - will send syslogs if tried to be accessed by some IP that is not allowed.
What is not even configured when tried to be accessed - the firewall just drops these packets and not log.
-KS
04-09-2010 11:58 PM
Thanks, how can I tell if we are being targeted from an external IP on the outside interface lots of the time?
If I run your capture command will it show all drops from all interfaces or just the outside interface?
04-10-2010 05:27 AM
That is correct. ASP drop will show all drops - all interfaces.
for example.
I have asdm/443, telnet and ssh allowed on my firewall. I tried a telnet to port 556 from the outside and the asp drop captures shows below:
ASA# sh cap capasp | i 556
2: 23:16:44.371425 802.1Q vlan#10 P0 10.117.14.69.58538 > 172.18.254.34.556: S 3707472990:3707472990(0) win 65535
21: 23:16:54.769003 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535
23: 23:16:55.677500 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535
26: 23:16:56.680323 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535
All SYNs from my outside client are dropped.
-KS
04-11-2010 12:01 AM
Anyway this can be outputted to a syslog server?
How would a company know if they are being hacked, I know the firewall is dropping the packets, but somebody could be trying for weeks and I wouldn't even know?
04-11-2010 06:09 AM
No. ASP drops cannot be sent to syslog server. Unfortunately not. Threat Detection feature will help you: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html#wp1088111
Besides this you need an IPS/IDS device.
-KS
04-11-2010 08:56 AM
Thanks. I do have the IPS module installed but again I think it only logs on allowed traffic passing through the firewall.
04-11-2010 02:11 PM
NO. You can do a few things with an IPS/IDS device
a. Deny Attacker Inline - Create an ACL that denies all traffic from the suspected source IP address
b. Deny connection Inline - Send resets to terminate the TCP flow
c. Deny packet Inline - Do not transmit the packet (inline only)
d. Produce Alert - Generate an alarm message
e. Reset TCP connection - Drop the packet and all future packets from the TCP flow
Read about it here: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html
Figure 59-1 shows the traffic flow when running the AIP SSM/SSC in inline mode. In this example, the AIP SSM/SSC automatically blocks traffic that it identified as an attack. All other traffic is forwarded through the adaptive security appliance.
-KS
04-12-2010 02:30 AM
This is what we have configured.
policy-map global_policy
class myipsclass
ips inline fail-open sensor vs0
I asked TAC about the report and they also say I can't do it. Is this do to me using "ips inline fail-open" and not one of the other options you mentioned?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: