I am trying to filter out a IP that keeps sending a UPD BOMB. I have created a ACL that should filter out the IP. In my syslog I still keep getting the message below. I am wondering if this will keep happening or have I not configured the ACL correctly?
I do understand that IDS and Firewall should work together and I am in the process of doing this. Could this possibly be the problem?
5044: May 28 13:13:28.805 MST: %IDS-4-UDP_BOMB_SIG: Sig:4050:UDP Bomb - from 22.214.171.124 to 65.*.*.*
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 126.96.36.199 0.0.0.1 any
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255
This is done so that admin's can see attacks even though the ACL will then prevent them. If the ACL denied them straight away then you'd never know if you were under attack. This is why you're seeing the IDS alert, but if you then do a "sho access-list 101" you should see hits on the deny line for that host.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...