?
Solved

Cisco ASA5510

Posted on 2013-02-04
6
Medium Priority
?
727 Views
Last Modified: 2013-02-04
SBS2003 box with RWW
Cisco redirecting on 3389, 425 to SBS2003
Continuous event id 529 on SBS2003 box, and from I understand that is expected,
I used access-list outside_access_in deny ip host x.x.x.x any , however I was surprised to see the same ip addresses hit the server on different ports, various random ports. Is ther ea way to block a specific ip address on all ports?
0
Comment
Question by:onecare
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 8

Expert Comment

by:R_Edwards
ID: 38851949
Block with SHUN in PIX/ASA
Issuing the shun command blocks connections from an attacking host. Packets that match the values in the command are dropped and logged until the blocking function is removed. The shun is applied regardless of whether a connection with the specified host address is currently active.

If you specify the destination address, source and destination ports, and the protocol, you narrow the shun to connections that match those parameters.

You can only have one shun command for each source IP address.

Because the shun command is used to block attacks dynamically, it is not displayed in the security appliance configuration.

Whenever an interface is removed, all shuns that are attached to that interface are also removed.

This example shows that the offending host (10.1.1.27) makes a connection with the victim (10.2.2.89) to TCP. The connection in the security appliance connection table reads as follows:

TCP outside:10.1.1.27/555 inside:10.2.2.89/666In order to block connections from an attacking host, use the shun command in privileged EXEC mode. Apply the shun command with these options:

hostname#shun 10.1.1.27 10.2.2.89 555 666 tcp
The command deletes the connection from the security appliance connection table and also prevents packets from 10.1.1.27:555 to 10.2.2.89:666 (TCP) from going through the security appliance.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a0080afe111.shtml#shun
0
 

Author Comment

by:onecare
ID: 38852093
Thank you for your detailed response.

A few clarification questions:
Should I remove the access-list outside_access_in deny ip host x.x.x.x any entry, as I understand it has to be at the top of the access list, currently towards the middle, if so how would I delete it and or move it?

I assume shun command will work on Cisco ASA 5510? I failed to specify earlier.

Will the shun command block all attempts from source IP on all ports? The logs are showing systematic brute force with various usernames and source ports. So basically the deny entries below failed to stop and I am unsure if that has to do with the order of the access list or not using the shun command. Can this be clarified further? Thank you

Access List

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
             
access-list outside_access_in extended permit tcp any interface Outside eq 3389

access-list outside_access_in extended permit tcp any interface Outside eq 4125

access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq www
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq https
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq smtp
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq 3389
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq 4125
             
access-list outside_access_in extended permit icmp any host (public ip X.X.X.X) echo-reply
             
access-list outside_access_in extended permit icmp any interface Outside echo-reply
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq imap4 inactive
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) object-group Emap inactive
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) object-group Port-2264 inactive
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) object-group NETML inactive
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq pop3 inactive
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) object-group POP3-SSL-995 inactive
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) object-group IMAP4-SSL-993 inactive
             
access-list outside_access_in remark rww
             
access-list outside_access_in extended permit tcp any 192.168.1.0 255.255.255.0 object-group rww4125
             
access-list outside_access_in extended permit tcp any (public ip X.X.X.X) 255.255.255.248 eq 4125
             
access-list outside_access_in extended permit tcp any (public ip X.X.X.X) 255.255.255.248 eq https
             
access-list outside_access_in extended permit tcp any (public ip X.X.X.X) 255.255.255.248 eq www
             
access-list outside_access_in extended deny ip host 115.90.177.148 any
             
access-list outside_access_in extended deny ip host 218.26.22.146 any
             
access-list outside_access_in extended deny ip host 80.195.39.227 any
             
access-list outside_access_in extended deny ip host 82.166.214.159 any
             
access-list outside_access_in extended deny ip host 14.63.253.241 any
             
access-list outside_access_in extended deny ip host 211.21.191.103 any
             
access-list outside_access_in extended deny ip host 148.244.235.241 any
             
access-list outside_access_in extended deny ip host 77.245.5.148 any
             
access-list outside_access_in extended deny ip host 50.56.236.101 any
             
access-list outside_access_in extended deny ip host 42.117.2.26 any
             
access-list outside_access_in extended deny ip host 192.198.87.216 any
             
access-list outside_access_in extended deny ip host 141.105.203.134 any
             
access-list outside_access_in extended deny ip host 14.35.241.135 any
             
access-list outside_access_in extended deny ip host 219.235.0.194 any
             
access-list outside_access_in extended deny ip host 222.209.223.127 any
             
access-list outside_access_in extended deny ip host 168.62.214.167 any
             
access-list outside_access_in extended deny ip host 14.43.124.54 any
             
access-list XXXX-splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
             
access-list outsie_access_in extended permit icmp any any
             
access-list 1 extended permit tcp any host (public ip X.X.X.X) eq 4125
             
access-list 1 extended permit tcp any host 192.168.1.1 eq 4125
             
access-list 1 extended permit tcp any host (public ip X.X.X.X) eq 3389
             
access-list 1 extended permit tcp any host (public ip X.X.X.X) eq 4125
             
access-list 1 extended permit tcp host 192.168.1.1 eq 4125 any
0
 
LVL 8

Expert Comment

by:R_Edwards
ID: 38852104
the server that the attacker is going after what is the operating system?
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 

Author Comment

by:onecare
ID: 38852122
SBS2003 with RWW enabled in addition to the Cisco redirecting 3389 over 425
0
 
LVL 8

Accepted Solution

by:
R_Edwards earned 2000 total points
ID: 38852192
Implicit Deny
Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the ASA except for particular addresses, then you need to deny the particular addresses and then permit all others.

For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed from a high security interface to a low security interface). However, if you explicitly deny all traffic with an EtherType ACE, then IP and ARP traffic is denied.

If you configure a global access rule, then the implicit deny comes after the global rule is processed. See the following order of operations:

1. Interface access rule.

2. Global access rule.

3. Implicit deny.

The order of rules is important. When the ASA decides whether to forward or drop a packet, the ASA tests the packet against each rule in the order in which the rules are listed. After a match is found, no more rules are checked. For example, if you create an access rule at the beginning that explicitly permits all traffic for an interface, no further rules are ever checked.
0
 

Author Comment

by:onecare
ID: 38852638
ok, the client just requested to shut off those ports and use the VPN functionality of the Cisco ASA 5510.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question