Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

whats the essential ACL I need on Outside int to Prevent Scan & Syn attacks ?

I have an ASA 5515x and 200 users behind accessing the internet for all of their services (ie I have no inside servers) whats the essential ACL I need on Outside int to prevent scan and syn attacks which at present seem to fluctuate wildly?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

If you don't have any servers

If you don't have any servers that need to be accessed from the internet then there should be no ACL on the outside interface.  Your outside interface should have a security level of 0 and the inside interface a number higher than 0.  All traffic from a lower security level to a higher security level is denied by default.

If you are allowing traffic in for whatever reason then there is no ACL that will prevent Scan and syn attacks on the fly.  For syn attacks you can limit the embryonic connections:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html

As for preventing a port scan, this is not possible.  You can not prevent the scan itself, but you can prevent it finding open ports in your firewall by not allowing traffic into the outside interface.  This is by either keeping the outside interface at a lower security level than the other interfaces, or if you want to you can add an ACL to the outside interface denying all traffic, but this is not needed as the ASA will drop all traffic from a lower security interface to a higher security interface by default.  Also don't configure static NAT, this combined with the ACL will open a bidirectional opening in the firewall.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
2 REPLIES
VIP Green

If you don't have any servers

If you don't have any servers that need to be accessed from the internet then there should be no ACL on the outside interface.  Your outside interface should have a security level of 0 and the inside interface a number higher than 0.  All traffic from a lower security level to a higher security level is denied by default.

If you are allowing traffic in for whatever reason then there is no ACL that will prevent Scan and syn attacks on the fly.  For syn attacks you can limit the embryonic connections:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html

As for preventing a port scan, this is not possible.  You can not prevent the scan itself, but you can prevent it finding open ports in your firewall by not allowing traffic into the outside interface.  This is by either keeping the outside interface at a lower security level than the other interfaces, or if you want to you can add an ACL to the outside interface denying all traffic, but this is not needed as the ASA will drop all traffic from a lower security interface to a higher security interface by default.  Also don't configure static NAT, this combined with the ACL will open a bidirectional opening in the firewall.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Thanks Marius,That was my

Thanks Marius,

That was my understanding but the ASDM graphs of "Possible Scan & Syn attacks" had me paranoid so i applied an anti Bogon ACL to the outside interface but that didnt make any difference.

Thanks again for the clarification,

brgds

SteveP

73
Views
0
Helpful
2
Replies
CreatePlease to create content