Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA email alerting

Hello,

I have been asked to provide a method of being emailed should a persistant public IP be trying to access out external IP of our ASA, are their anyways of doig this?  I don't want to get an email if one or 2 hits form the same IP are "seen" but if there are 40-50 from the same suggesting some sort of penetration activity?

I've got some of the alerts going to my syslog server (solarwinds) but it can't do anything clever.

13 REPLIES
Cisco Employee

Re: ASA email alerting

Unfortunately not a supported feature on ASA.

ASA can only send email notifications for syslog messages on specific syslog severity.

Community Member

Re: ASA email alerting

Looks like my syslog viewer can do some sort of email alerting, I can see message type "ASA-1-710003" appear and I now get an email, but I need to suppress it somehow.

What I don't understand is I get syslog alerts for denied access to our ASA, but we have other devices with public IP's that are NAT'd to their private addresses that I don't get denies from, it this down tot he device behind the NAT or shoudl the firewall also pickup these denies?

Cisco Employee

Re: ASA email alerting

I assume the deny access would be syslog from access-list on interfaces.

Community Member

Re: ASA email alerting

That is correct.

Community Member

Re: ASA email alerting

For example we have a few public IP addresses going to web servers behind the firewall, I need a deny message to be sent our syslog server should the attempt be anything other that port 80. How can I achieve this?

What is strange also if I try and telnet to our ASA over the internet on port 80 or 23 I get a deny message sent to the syslog server but if I telnet on any other random port I don't get a deny log, it gets blocked but that's it I need to record this and for the other servers.

Thanks

Cisco Employee

Re: ASA email alerting

This is not possible. These will be dropped by the firewall. You can see these in the asp drop captures.

cap capasp type asp-drop all

sh cap capasp

What is configured to be alllowed - will send syslogs if tried to be accessed by some IP that is not allowed.

What is not even configured when tried to be accessed - the firewall just drops these packets and not log.

-KS

Community Member

Re: ASA email alerting

Thanks, how can I tell if we are being targeted from an external IP on the outside interface lots of the time?

If I run your capture command will it show all drops from all interfaces or just the outside interface?

Cisco Employee

Re: ASA email alerting

That is correct. ASP drop will show all drops - all interfaces.

for example.

I have asdm/443, telnet and ssh allowed on my firewall. I tried a telnet to port 556 from the outside and the asp drop captures shows below:

ASA# sh cap capasp | i 556
   2: 23:16:44.371425 802.1Q vlan#10 P0 10.117.14.69.58538 > 172.18.254.34.556: S 3707472990:3707472990(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
  21: 23:16:54.769003 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
  23: 23:16:55.677500 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
  26: 23:16:56.680323 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535

All SYNs from my outside client are dropped.

-KS

Community Member

Re: ASA email alerting

Anyway this can be outputted to a syslog server?

How would a company know if they are being hacked, I know the firewall is dropping the packets, but somebody could be trying for weeks and I wouldn't even know?

Cisco Employee

Re: ASA email alerting

No. ASP drops cannot be sent to syslog server.  Unfortunately not.  Threat Detection feature will help you: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html#wp1088111

Besides this you need an IPS/IDS device.

-KS

Community Member

Re: ASA email alerting

Thanks. I do have the IPS module installed but again I think it only logs on allowed traffic passing through the firewall.

Cisco Employee

Re: ASA email alerting

NO. You can do a few things with an IPS/IDS device

a. Deny Attacker Inline - Create an ACL that denies all traffic from the suspected source IP address

  b. Deny connection Inline - Send resets to terminate the TCP flow

  c. Deny packet Inline - Do not transmit the packet (inline only)

  d. Produce Alert - Generate an alarm message

  e. Reset TCP connection - Drop the packet and all future packets from the TCP flow

Read about it here: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html

Figure 59-1 shows the traffic flow when running the AIP SSM/SSC in inline mode. In this example, the AIP SSM/SSC automatically blocks traffic that it identified as an attack. All other traffic is forwarded through the adaptive security appliance.

-KS

Community Member

Re: ASA email alerting

This is what we have configured.

policy-map global_policy
class myipsclass
  ips inline fail-open sensor vs0

I asked TAC about the report and they also say I can't do it.  Is this do to me using "ips inline fail-open" and not one of the other options you mentioned?

363
Views
0
Helpful
13
Replies
CreatePlease to create content