Solved

Cisco ASA5510

Posted on 2013-02-04
6
719 Views
Last Modified: 2013-02-04
SBS2003 box with RWW
Cisco redirecting on 3389, 425 to SBS2003
Continuous event id 529 on SBS2003 box, and from I understand that is expected,
I used access-list outside_access_in deny ip host x.x.x.x any , however I was surprised to see the same ip addresses hit the server on different ports, various random ports. Is ther ea way to block a specific ip address on all ports?
0
Comment
Question by:onecare
  • 3
  • 3
6 Comments
 
LVL 8

Expert Comment

by:R_Edwards
Comment Utility
Block with SHUN in PIX/ASA
Issuing the shun command blocks connections from an attacking host. Packets that match the values in the command are dropped and logged until the blocking function is removed. The shun is applied regardless of whether a connection with the specified host address is currently active.

If you specify the destination address, source and destination ports, and the protocol, you narrow the shun to connections that match those parameters.

You can only have one shun command for each source IP address.

Because the shun command is used to block attacks dynamically, it is not displayed in the security appliance configuration.

Whenever an interface is removed, all shuns that are attached to that interface are also removed.

This example shows that the offending host (10.1.1.27) makes a connection with the victim (10.2.2.89) to TCP. The connection in the security appliance connection table reads as follows:

TCP outside:10.1.1.27/555 inside:10.2.2.89/666In order to block connections from an attacking host, use the shun command in privileged EXEC mode. Apply the shun command with these options:

hostname#shun 10.1.1.27 10.2.2.89 555 666 tcp
The command deletes the connection from the security appliance connection table and also prevents packets from 10.1.1.27:555 to 10.2.2.89:666 (TCP) from going through the security appliance.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a0080afe111.shtml#shun
0
 

Author Comment

by:onecare
Comment Utility
Thank you for your detailed response.

A few clarification questions:
Should I remove the access-list outside_access_in deny ip host x.x.x.x any entry, as I understand it has to be at the top of the access list, currently towards the middle, if so how would I delete it and or move it?

I assume shun command will work on Cisco ASA 5510? I failed to specify earlier.

Will the shun command block all attempts from source IP on all ports? The logs are showing systematic brute force with various usernames and source ports. So basically the deny entries below failed to stop and I am unsure if that has to do with the order of the access list or not using the shun command. Can this be clarified further? Thank you

Access List

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
             
access-list outside_access_in extended permit tcp any interface Outside eq 3389

access-list outside_access_in extended permit tcp any interface Outside eq 4125

access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq www
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq https
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq smtp
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq 3389
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq 4125
             
access-list outside_access_in extended permit icmp any host (public ip X.X.X.X) echo-reply
             
access-list outside_access_in extended permit icmp any interface Outside echo-reply
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq imap4 inactive
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) object-group Emap inactive
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) object-group Port-2264 inactive
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) object-group NETML inactive
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) eq pop3 inactive
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) object-group POP3-SSL-995 inactive
             
access-list outside_access_in extended permit tcp any host (public ip X.X.X.X) object-group IMAP4-SSL-993 inactive
             
access-list outside_access_in remark rww
             
access-list outside_access_in extended permit tcp any 192.168.1.0 255.255.255.0 object-group rww4125
             
access-list outside_access_in extended permit tcp any (public ip X.X.X.X) 255.255.255.248 eq 4125
             
access-list outside_access_in extended permit tcp any (public ip X.X.X.X) 255.255.255.248 eq https
             
access-list outside_access_in extended permit tcp any (public ip X.X.X.X) 255.255.255.248 eq www
             
access-list outside_access_in extended deny ip host 115.90.177.148 any
             
access-list outside_access_in extended deny ip host 218.26.22.146 any
             
access-list outside_access_in extended deny ip host 80.195.39.227 any
             
access-list outside_access_in extended deny ip host 82.166.214.159 any
             
access-list outside_access_in extended deny ip host 14.63.253.241 any
             
access-list outside_access_in extended deny ip host 211.21.191.103 any
             
access-list outside_access_in extended deny ip host 148.244.235.241 any
             
access-list outside_access_in extended deny ip host 77.245.5.148 any
             
access-list outside_access_in extended deny ip host 50.56.236.101 any
             
access-list outside_access_in extended deny ip host 42.117.2.26 any
             
access-list outside_access_in extended deny ip host 192.198.87.216 any
             
access-list outside_access_in extended deny ip host 141.105.203.134 any
             
access-list outside_access_in extended deny ip host 14.35.241.135 any
             
access-list outside_access_in extended deny ip host 219.235.0.194 any
             
access-list outside_access_in extended deny ip host 222.209.223.127 any
             
access-list outside_access_in extended deny ip host 168.62.214.167 any
             
access-list outside_access_in extended deny ip host 14.43.124.54 any
             
access-list XXXX-splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
             
access-list outsie_access_in extended permit icmp any any
             
access-list 1 extended permit tcp any host (public ip X.X.X.X) eq 4125
             
access-list 1 extended permit tcp any host 192.168.1.1 eq 4125
             
access-list 1 extended permit tcp any host (public ip X.X.X.X) eq 3389
             
access-list 1 extended permit tcp any host (public ip X.X.X.X) eq 4125
             
access-list 1 extended permit tcp host 192.168.1.1 eq 4125 any
0
 
LVL 8

Expert Comment

by:R_Edwards
Comment Utility
the server that the attacker is going after what is the operating system?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:onecare
Comment Utility
SBS2003 with RWW enabled in addition to the Cisco redirecting 3389 over 425
0
 
LVL 8

Accepted Solution

by:
R_Edwards earned 500 total points
Comment Utility
Implicit Deny
Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the ASA except for particular addresses, then you need to deny the particular addresses and then permit all others.

For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed from a high security interface to a low security interface). However, if you explicitly deny all traffic with an EtherType ACE, then IP and ARP traffic is denied.

If you configure a global access rule, then the implicit deny comes after the global rule is processed. See the following order of operations:

1. Interface access rule.

2. Global access rule.

3. Implicit deny.

The order of rules is important. When the ASA decides whether to forward or drop a packet, the ASA tests the packet against each rule in the order in which the rules are listed. After a match is found, no more rules are checked. For example, if you create an access rule at the beginning that explicitly permits all traffic for an interface, no further rules are ever checked.
0
 

Author Comment

by:onecare
Comment Utility
ok, the client just requested to shut off those ports and use the VPN functionality of the Cisco ASA 5510.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now