cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1073
Views
0
Helpful
3
Replies

ASA firewalls,basic IPS

Hi guys,

need bit of guidance i have asa 5505 with software 8.2....when i log in via asdm it shows loads of scanning attacks and few syn...i have enabled threat detection  basic and scanning i have also enabled ip audit attack and info.....lil concerned about attacks when i do show threat detection statistic top tcp

it shows public ip  then source ip which is my dmz server ip address ....this commands show top ten server under attack...does this comand shows server which are under attack or servers which were attacked but the attcak was thwarted....also i can no longer see cpu util and memory stats on asdm....i see errror signal 11 caught in process fiber unicorn admin handler....can any one advise how i can thwart these errors as i h ave enabled shun with scanning threat its just i see my dmz server as attacker is lil concerning....many thanks

3 Replies 3

jocamare
Level 4
Level 4

Check for these logs:

%ASA-4-733104 and/or %ASA-4-733105

%ASA-4-733104 and %ASA-4-733105 lists the host targeted by the attack       that is currently being protected by TCP intercept.

Taken from:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd3913.shtml#action4

Also, what version of ASDM are you running on your unit?

In case you are not using the latest version, can you try to use it?

thanks jocamare, today was my first day with firewall and company doesnt have syslog enabled no server configured......iam using asdm 6.2....still coming up as connection lost for visual stats of cpu and memory and attacks showing lso generating logs resource asdm limit 5 reached not sure if basic ips attack and info config caused it but highly doubt it also can see from command line alof of free mem and 10 percent cpu utilization....plus when i do show threat detetction scanning threat it shows me target as public ip address belong to service provider which provide us diff mpls network and source as server for default gateway server in dmz which is default gateway  for guest wiresless on dmz.......

wana know wt thwarts attcks ( scanning and syn) shown by dmz asdm...i have two interface with public ip one outside and one DMZ shall i apply below setting to DMZ too as all the attacks are coming from there ....

i have

basic threat detection

advance threat detection

scannning threat with shu host configured

ips with attck and info signature configured reset opion selceted and applied to outside interface

cheers

Wow, had a tough time trying to understand that reply.

This is what i got.

----There is no syslog server configured

You can check the logs locally on the ASA, they should appear in there.

---You are using ASDM 6.2

Update it to the latest version.

----You are getting this log: resource asdm limit 5 reached

It means the ASA is running in multiple context mode and the resources are shared and limited.

Run the "show resource usage system counter all 0" to determine how the resources are being distributed.

---It seems that the attack is coming from DMZ going to a public IP

Well, that's bad.

Use the information the ASA is providing you with and track the host down, analyze it and solve the issue.

----You want to know how to configure the ASA in order to block the attack.

Threat detection is a global feature, meaning it scans and can even affect the traffic is classifies as malicious.

If the source of the attack has been identified, proceed with a sanitation of the unit/units.

You can block the traffic from those units using different methods.  ACLs and shuns are some of them.

If you have an IPS [i believe that you are refering to the ip-audit feature, but anyway] you can create check its configuration and modify it in order to stop the attack while you attack the root cause.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: