04-09-2010 01:42 AM - edited 03-11-2019 10:30 AM
Hello,
I have been asked to provide a method of being emailed should a persistant public IP be trying to access out external IP of our ASA, are their anyways of doig this? I don't want to get an email if one or 2 hits form the same IP are "seen" but if there are 40-50 from the same suggesting some sort of penetration activity?
I've got some of the alerts going to my syslog server (solarwinds) but it can't do anything clever.
04-09-2010 01:59 AM
Unfortunately not a supported feature on ASA.
ASA can only send email notifications for syslog messages on specific syslog severity.
04-09-2010 02:26 AM
Looks like my syslog viewer can do some sort of email alerting, I can see message type "ASA-1-710003" appear and I now get an email, but I need to suppress it somehow.
What I don't understand is I get syslog alerts for denied access to our ASA, but we have other devices with public IP's that are NAT'd to their private addresses that I don't get denies from, it this down tot he device behind the NAT or shoudl the firewall also pickup these denies?
04-09-2010 02:47 AM
I assume the deny access would be syslog from access-list on interfaces.
04-09-2010 02:57 AM
That is correct.
04-09-2010 05:07 AM
For example we have a few public IP addresses going to web servers behind the firewall, I need a deny message to be sent our syslog server should the attempt be anything other that port 80. How can I achieve this?
What is strange also if I try and telnet to our ASA over the internet on port 80 or 23 I get a deny message sent to the syslog server but if I telnet on any other random port I don't get a deny log, it gets blocked but that's it I need to record this and for the other servers.
Thanks
04-09-2010 08:59 PM
This is not possible. These will be dropped by the firewall. You can see these in the asp drop captures.
cap capasp type asp-drop all
sh cap capasp
What is configured to be alllowed - will send syslogs if tried to be accessed by some IP that is not allowed.
What is not even configured when tried to be accessed - the firewall just drops these packets and not log.
-KS
04-09-2010 11:58 PM
Thanks, how can I tell if we are being targeted from an external IP on the outside interface lots of the time?
If I run your capture command will it show all drops from all interfaces or just the outside interface?
04-10-2010 05:27 AM
That is correct. ASP drop will show all drops - all interfaces.
for example.
I have asdm/443, telnet and ssh allowed on my firewall. I tried a telnet to port 556 from the outside and the asp drop captures shows below:
ASA# sh cap capasp | i 556
2: 23:16:44.371425 802.1Q vlan#10 P0 10.117.14.69.58538 > 172.18.254.34.556: S 3707472990:3707472990(0) win 65535
21: 23:16:54.769003 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535
23: 23:16:55.677500 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535
26: 23:16:56.680323 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535
All SYNs from my outside client are dropped.
-KS
04-11-2010 12:01 AM
Anyway this can be outputted to a syslog server?
How would a company know if they are being hacked, I know the firewall is dropping the packets, but somebody could be trying for weeks and I wouldn't even know?
04-11-2010 06:09 AM
No. ASP drops cannot be sent to syslog server. Unfortunately not. Threat Detection feature will help you: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html#wp1088111
Besides this you need an IPS/IDS device.
-KS
04-11-2010 08:56 AM
Thanks. I do have the IPS module installed but again I think it only logs on allowed traffic passing through the firewall.
04-11-2010 02:11 PM
NO. You can do a few things with an IPS/IDS device
a. Deny Attacker Inline - Create an ACL that denies all traffic from the suspected source IP address
b. Deny connection Inline - Send resets to terminate the TCP flow
c. Deny packet Inline - Do not transmit the packet (inline only)
d. Produce Alert - Generate an alarm message
e. Reset TCP connection - Drop the packet and all future packets from the TCP flow
Read about it here: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html
Figure 59-1 shows the traffic flow when running the AIP SSM/SSC in inline mode. In this example, the AIP SSM/SSC automatically blocks traffic that it identified as an attack. All other traffic is forwarded through the adaptive security appliance.
-KS
04-12-2010 02:30 AM
This is what we have configured.
policy-map global_policy
class myipsclass
ips inline fail-open sensor vs0
I asked TAC about the report and they also say I can't do it. Is this do to me using "ips inline fail-open" and not one of the other options you mentioned?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide