Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5510 "Blacklisting" Source IPs

Is there a way to create a "blacklist" for inbound traffic on the external interface or an ASA5510?  These "script kiddies" have never been able to penetrate the system, but their attempts sure do clutter up the logs.

I know that I could procure, configure, and install an intrusion detection device, but I'd like to find out if the ASA has that capability.  I know I can shun hosts and exclude networks, but I'd rather not use that feature.  The attempts at ssh occur several times a day, and I'd like to stop them as they occur.

Thanx!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA5510 "Blacklisting" Source IPs

Hi,

You might also be interested in the Botnet traffic filter feature on the ASA. To read more on this:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/white_paper_c11-532091.html

Hope this helps!!

Thanks and Regards,

Prapanch

Just to clarify. Botnet will not help unless the attackers are bots and they dns through your firewall (I doubt that is the case from your problem description). Botnet will flag and block only botnet traffic that talk to the back-end bot masters, and not scripted viruses or attacks that are not bot related.

PK

5 REPLIES

Re: ASA5510 "Blacklisting" Source IPs

It sounds like you are looking for something to dynamically restrict/block access. IMO the best option is, as you stated, is IPS. The good news is that you can put one directly in the ASA and have it shun traffic.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916.html

Hope it helps

Cisco Employee

Re: ASA5510 "Blacklisting" Source IPs

Also you can look into the ASA threat-detection feature and have it shun...

I hope it helps.

PK

Cisco Employee

Re: ASA5510 "Blacklisting" Source IPs

Hi,

You might also be interested in the Botnet traffic filter feature on the ASA. To read more on this:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/white_paper_c11-532091.html

Hope this helps!!

Thanks and Regards,

Prapanch

Cisco Employee

Re: ASA5510 "Blacklisting" Source IPs

Hi,

You might also be interested in the Botnet traffic filter feature on the ASA. To read more on this:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/white_paper_c11-532091.html

Hope this helps!!

Thanks and Regards,

Prapanch

Just to clarify. Botnet will not help unless the attackers are bots and they dns through your firewall (I doubt that is the case from your problem description). Botnet will flag and block only botnet traffic that talk to the back-end bot masters, and not scripted viruses or attacks that are not bot related.

PK

New Member

Re: ASA5510 "Blacklisting" Source IPs

Thanx, everyone, for your suggestions!  Unfortunately, none of them  are viable solutions in this case.

802
Views
0
Helpful
5
Replies
CreatePlease to create content