Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Outbound Traffic Monitoring

Hello,

We have an ASA5520 which connects our offices to a larger corporate WAN which we deem as hostile.  We've always allowed traffic to flow off our network and onto the corporate network without any controls, however, following a recent virus outbreak (which flooded the corporate network with ICMP!)  we've been told by our corporate IT Team that we must now restrict outbound traffic.

This is fair enough and to be honest it's something we should have done a long time ago.  Because we control inbound traffic via ACL's we know what traffic is allowed in, however, as we've never controlled outbound traffic before I'd like to get an idea of what traffic is heading onto the corporate WAN before I remove the outbound "permit any any" and replace with more specific ACLS's.

My initial plan was to place a probe on the outside of the firewall for around a month to monitor outbound traffic so we can use this info to come out with an appropriate set of rules. I guess this will also highlight any illeigitmate traffic which we can block.

I then wondered if the ASA has any ASDM tools or CLI options that could help with this?

I'd be interested to hear from anyone who's done something similar or knows of any tools (particulary free/shareware) that could help.

Any help greatfully received.

4 REPLIES

Re: Outbound Traffic Monitoring

Hi,

There are two features you can use on ASA 8.2.X code.

1. Threat detection

2. Netflow

And also by enabling access-list logging you will get some idea about traffic flow, in my opinion you can create deny rules on top access-list permit any any rule.Start with blocking  ports like UDP 137,138,139,TCP 445, 139 etc with will definitely help to reduce the worms spreading and also restrict ICMP message types.

Starting with 8.X code , the threat detection is good feature to analyse network traffic.

Netflow feature is available with 8.2.1 code, you can use free netflow analyser from sloarwinds or cisco( evaluation versions) to analyse traffic.

Dileep

New Member

Re: Outbound Traffic Monitoring

Thanks Dileep,

Those sound ideal for what I'm trying to acheive..

Can you please point me in the direction of how I can enable netflow and threat detection. The ASA5520 also has an IPS module if that helps?

Re: Outbound Traffic Monitoring

In ASDM

For threat-detection

Configuration --> Firewall--> threat-detection

For Netflow

Configuration --> Device management --> logging --> netflow

You can see threat detection statistics at  Home-->Firewall Dashboard


IPS do give some statistics about network traffic, If you using Cisco IME go to dashboard and add top application gadjets

If you are looking for CLI all threat detection commands start with

threat-detection

And for netflow

flow-export destination  interface ip-address port

Dileep

Cisco Employee

Re: Outbound Traffic Monitoring

Hello,

Though threat detection statistics may help you get a hang of n/w resource usage on ASA, but really it is  a very basic tool for monitoring purposes. Moreover, it will consume 15-20% CPU on the box. According to my experience with Cisco, when most of the ASAs are running at high CPU, then it is always good to turn OFF the threat-detection stats, as it is not much of use.

In my opinion, Netflow Secure Event Logging ( NSEL in 8.2 +) is a better option for your scenario.Please refer the link below :

http://cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html#wpmkr1111173

Thanks

Vijaya

745
Views
0
Helpful
4
Replies