external IPs getting into our FWSM local-host table
We are running an FWSM - version 4.0(4) - for our campus firewall. Somehow, there are external IPs getting into the local-host table on the inside of our firewall. This, of course, is preventing us from getting to those IPs. Some of these IPs are sites that we really need to get to for business purposes (related off-campus research). Whenever we get a complaint about not being able to get to one of these particular sites, the first thing I do is look in the local-host table and, sure enough, it's in there. I clear it out and that solves the problem until it shows up in the table next time.
This sounds like a serious and subversive DOS attack possibility to me. Why does the firewall allow external IPs in the local-host table in the first place? How can we prevent external IPs from getting in the local-host table?
Re: external IPs getting into our FWSM local-host table
An easy way will be filtering by ACLs.
On the inside interface have an ACL that allow only traffic from the real inside network.
If the inside network is 10.1.1.0/24, then the inside ACL should permit traffic from only that network.
This will not allow the Firewall to create local hosts entries for other IPs not belonging to the real inside network, as they are not going to be allowed to establish connections through the Firewall.
This is a way to prevent having problems accesing the sites. Obviously is a good idea as well to trace the source of the problem to fix it.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :