07-16-2013 08:56 AM - edited 03-10-2019 06:00 AM
I have a Asa 5505 as Ips an have the default configuration, how to permit organización disable ICMP protection?. And how to re-enable?
Sent from Cisco Technical Support Android App
07-16-2013 09:59 AM
Hi,
Let me see if I understand your question... If you are using the IPS module on ASA 5505, the signatures that will permit or deny ICMP are 2000 and 2004.
If you are talking about the IP audit feature the same signatures will apply (2000 and 2004)
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_protect.html#wp1056358
If you are talking about the inspection feature of the ASA you might be refering to the "inspect icmp"
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-16-2013 11:23 AM
I need information with details about threat detection:
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
what is the meaning of every component of the command?, someone have a document with detail of components and the way to config.
07-16-2013 11:25 AM
I don't have the signature 2000 or 2004 that means that the ICMP is permitted?.
07-16-2013 11:46 AM
Hi,
Ok threat-detection will work as DOS prevention tool.
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/t.html#wp1563212
In regards to your other question if you don't have any signature based protection (like IP audit or IPS module), the ICMP traffic will be allowed if you permit it on the ACL or inspection.
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-16-2013 01:31 PM
But, I still do not understand the meaning of the parameters of the command, i'm doing some test with pingplotter thru the ASA from one of the servers in the inside interface, This test can be affected by this feature?, is a continuous ping to a remote site.
Thank you.
07-16-2013 01:58 PM
Hi,
This command is part of basic threat detection. Basic threat detection monitors the rates at which packets are dropped for various reasons by the ASA as a whole.
So basically you will see a Threat-detection syslog when the amount of ICMP droppped packets execeed the parameters configured.
icmp-drop: Sets the rate limit for dropped packets caused by denial by suspicious ICMP packets detected.
rate-interval: Sets the average rate interval between 600 seconds and 2592000 seconds (30 days). The rate interval is used to determine the length of time over which to average the drops. It also determines the burst threshold rate interval.
average-rate: Sets the average rate limit between 0 and 2147483647 in drops/sec.
burst-rate: Sets the burst rate limit between 0 and 2147483647 in drops/sec. The burst rate is calculated as the average rate every N seconds, where N is the burst rate interval. The burst rate interval is 1/30th of the rate-interval
rate_interval value or 10 seconds, whichever is larger.
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
Within an interval 600 seconds an alert will be triggered if the amount of packets dropped per second exceeds the average-rate/burst rate.
ASA Threat Detection Functionality and Configuration
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd3913.shtml
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-16-2013 05:09 PM
Do you know if cisco has an administrator guide for ASA IPS?.
07-16-2013 05:33 PM
Hi,
Here you have the configuration Guide
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_intro.html
ASA syslog messages guide
http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logsevp.html
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-31-2013 10:07 AM
How i can check if the ICMP and tracerouter is blocking in a Cisco Ips 4240?, do you know if cisco has a administrator guide for Cisco Ips 4240?
Thank you so much.
07-31-2013 05:14 PM
Here you have the latest IPS configuration guide:
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idmguide71.html
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/cli/cli_introducing.html
The best way to see if a signature is dropping traffic is looking at the events; under monitoring.
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide