Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPS host block based on custom criteria

Back when I was using Microsoft ISA I was able to setup rules that would (permanently) block a host exhibiting certain behaviour. I am trying to achieve the same using a Cisco ASA IPS.

We have certain special ports open on IP addresses but the common attack ports (22, 3389...) are blocked. I would liek to setup a rule where a host is immediatelly shunned when they try to hit such a port so that the host cannot even proceed to the open ports. To me anyone trying to access these ports is up to no good and should be blocked.

Is there any way to do this on Cisco ASA?

3 REPLIES
Silver

IPS host block based on custom criteria

Hello Paul,

Yes, you can do it..

1. Create an access-list with  the source subnet/host along with ports you want to take care of.

2. Call that access-list in class-map

3. Call this class-map in policy-map and give the command ips promiscuous fail-open/fail-close.

4. Apply policy-map on particular interface.

ciscoasa(config)#access−list traffic_for_ips permit tcp host x.x.x.x any eq 22

ciscoasa(config)#class−map ips_class_map

ciscoasa(config−cmap)#match access−list traffic_for_ips

ciscoasa(config)#policy−map interface-policy

ciscoasa(config−pmap)#class ips_class_map

ciscoasa(config−pmap−c)#ips promiscuous fail−open

!−−− Two decisions need to be made.

!−−− First, does the AIP−SSM function

!−−− in inline or promiscuous mode?

!−−− Second, does the ASA fail−open or fail−closed?

ciscoasa(config)#service−policy interface_policy interface inside

IPS host block based on custom criteria

New Member

IPS host block based on custom criteria

Sending Traffic to the IPS Module

If your model supports the IPS module for intrusion prevention, then you can send traffic to the module for inspection. The IPS module monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When the system detects unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the device manager. Other legitimate connections continue to operate independently without interruption. For more information, see the documentation for your IPS module.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mode_contexts.html

300
Views
4
Helpful
3
Replies