I have been asked to provide a method of being emailed should a persistant public IP be trying to access out external IP of our ASA, are their anyways of doig this? I don't want to get an email if one or 2 hits form the same IP are "seen" but if there are 40-50 from the same suggesting some sort of penetration activity?
I've got some of the alerts going to my syslog server (solarwinds) but it can't do anything clever.
Looks like my syslog viewer can do some sort of email alerting, I can see message type "ASA-1-710003" appear and I now get an email, but I need to suppress it somehow.
What I don't understand is I get syslog alerts for denied access to our ASA, but we have other devices with public IP's that are NAT'd to their private addresses that I don't get denies from, it this down tot he device behind the NAT or shoudl the firewall also pickup these denies?
For example we have a few public IP addresses going to web servers behind the firewall, I need a deny message to be sent our syslog server should the attempt be anything other that port 80. How can I achieve this?
What is strange also if I try and telnet to our ASA over the internet on port 80 or 23 I get a deny message sent to the syslog server but if I telnet on any other random port I don't get a deny log, it gets blocked but that's it I need to record this and for the other servers.
This is not possible. These will be dropped by the firewall. You can see these in the asp drop captures.
cap capasp type asp-drop all
sh cap capasp
What is configured to be alllowed - will send syslogs if tried to be accessed by some IP that is not allowed.
What is not even configured when tried to be accessed - the firewall just drops these packets and not log.
Thanks, how can I tell if we are being targeted from an external IP on the outside interface lots of the time?
If I run your capture command will it show all drops from all interfaces or just the outside interface?
That is correct. ASP drop will show all drops - all interfaces.
I have asdm/443, telnet and ssh allowed on my firewall. I tried a telnet to port 556 from the outside and the asp drop captures shows below:
ASA# sh cap capasp | i 556
2: 23:16:44.371425 802.1Q vlan#10 P0 10.117.14.69.58538 > 172.18.254.34.556: S 3707472990:3707472990(0) win 65535
21: 23:16:54.769003 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535
23: 23:16:55.677500 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535
26: 23:16:56.680323 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535
All SYNs from my outside client are dropped.
Anyway this can be outputted to a syslog server?
How would a company know if they are being hacked, I know the firewall is dropping the packets, but somebody could be trying for weeks and I wouldn't even know?
No. ASP drops cannot be sent to syslog server. Unfortunately not. Threat Detection feature will help you: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html#wp1088111
Besides this you need an IPS/IDS device.
NO. You can do a few things with an IPS/IDS device
a. Deny Attacker Inline - Create an ACL that denies all traffic from the suspected source IP address
b. Deny connection Inline - Send resets to terminate the TCP flow
c. Deny packet Inline - Do not transmit the packet (inline only)
d. Produce Alert - Generate an alarm message
e. Reset TCP connection - Drop the packet and all future packets from the TCP flow
Read about it here: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html
Figure 59-1 shows the traffic flow when running the AIP SSM/SSC in inline mode. In this example, the AIP SSM/SSC automatically blocks traffic that it identified as an attack. All other traffic is forwarded through the adaptive security appliance.
This is what we have configured.
ips inline fail-open sensor vs0
I asked TAC about the report and they also say I can't do it. Is this do to me using "ips inline fail-open" and not one of the other options you mentioned?