Solved

cisco asa

Posted on 2013-05-28
24
475 Views
Last Modified: 2013-06-06
Looking at my ASA log I have tons of 710003 errors.    The source IP is an external ip and the destination IP is the outside address of my ASA.  THis is the only error that is happening on the ASA and it causes an internet drop for our internal users  .
what can i do to prevent this.

TCP Access denied by ACL from xxxx.xxxx.xxxx.xxx to primary isp :xxxx.xxxx.xxxx.xxx/443
0
Comment
Question by:Glocap
  • 12
  • 10
  • 2
24 Comments
 
LVL 5

Expert Comment

by:aarie
ID: 39201732
If it is always the same external IP address, you may want to figure out to who or to which organization it belongs and report it as an abuse issue.

Another option is to create an ACL rule denying the specific traffic. However, the ASA will report dropping those packets in log messages at the Warning level (level 4), so you may want to rate limit that.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39201755
Is the source IP constant? Is the destination port constant? (443) t looks like a possible DDoS attack as referenced by aarie.


However, it appears that there may already be an ACL in place denying the traffic which is why it is showing up as access denied.  

If it is a constant source IP then try doing a whois.
0
 

Author Comment

by:Glocap
ID: 39201800
It is different IP addresses every time.

can you let me know the commands for creating an ACL rule denying the traffice and how to rate limit this?
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39201852
Are you running any type of secure web server?  Port 443 is used for SSL connections to a web server.  If you are not running one then you can put in a rule like this:

deny tcp any any eq 443

Or if you want to be more specific you can use the IP address of the ASA as the destination:

deny tcp any xxx.xxx.xxx.xxx eq 443
0
 

Author Comment

by:Glocap
ID: 39201981
hi pony10us, i can run the below commands for cisco asa external interface

deny tcp any xxx.xxx.xxx.xxx eq 443
deny tcp any xxx.xxx.xxx.xxx eq 80


but will it block my internet completely as port 80 will be blocked too?

have been having drops on both 80 and 443

TCP Access denied by ACL from xxxx.xxxx.xxxx.xxx to primary isp :xxxx.xxxx.xxxx.xxx/80
TCP Access denied by ACL from xxxx.xxxx.xxxx.xxx to primary isp :xxxx.xxxx.xxxx.xxx/443
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39202021
Those commands will block all incoming traffic to the address of the ASA on both port 80 and 443.  Since it is an ASA then I would expect that you don't want the web interface open to the outside world anyway.
0
 

Author Comment

by:Glocap
ID: 39202030
ok thanks , i will enter the deny commands on the ASA and see how it goes.

what is the command in case i need to undo the changes?
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39202047
To remove a command you would re-enter and put a no in front

no deny tcp any xxx.xxx.xxx.xxx eq 443
no deny tcp any xxx.xxx.xxx.xxx eq 80
0
 

Author Comment

by:Glocap
ID: 39202260
thanks ponyus10, i am writing down the current config of the asa , let me know if you think any other changes are required

69.74.205.226 is the external interface IP of the firewall

please find below the config

username admin attributes
 vpn-group-policy glocap.com
username zoia@glocap.com password iarvwww40jwB3oBf encrypted privilege 0
username zoia@glocap.com attributes
 vpn-group-policy glocap.com
username ctoffice password 3qpNN8u1sMkwQV2t encrypted
username ctoffice attributes
 vpn-group-policy glocap.com
 vpn-simultaneous-logins 3
 webvpn
  svc ask enable default svc
username enable_16 password sj2wkcWtN4dIfBl6 encrypted privilege 15
username song password ggyYwwJ2UNJMYF5L encrypted privilege 0
username song attributes
 vpn-group-policy glocap.com
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPN_Pool
 dhcp-server 192.168.3.4
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key *
tunnel-group glocap.com type remote-access
tunnel-group glocap.com general-attributes
 address-pool VPN_Pool
 default-group-policy glocap.com
tunnel-group glocap.com ipsec-attributes
 pre-shared-key *
tunnel-group 74.211.164.194 type ipsec-l2l
tunnel-group 74.211.164.194 ipsec-attributes
 pre-shared-key *
tunnel-group 24.43.165.42 type ipsec-l2l
tunnel-group 24.43.165.42 ipsec-attributes
 pre-shared-key *
tunnel-group 70.99.142.162 type ipsec-l2l
tunnel-group 70.99.142.162 ipsec-attributes
 pre-shared-key *
tunnel-group 173.247.204.74 type ipsec-l2l
tunnel-group 173.247.204.74 ipsec-attributes
 pre-shared-key *
tunnel-group 99.115.135.225 type ipsec-l2l
tunnel-group 99.115.135.225 ipsec-attributes
 pre-shared-key *
tunnel-group 108.66.222.161 type ipsec-l2l
tunnel-group 108.66.222.161 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect ipsec-pass-thru
  inspect icmp
!
service-policy global_policy global
smtp-server 192.168.3.10
prompt hostname context
Cryptochecksum:e8314d9e5e85d6bceed47bb2bfd117e5
: end
asdm image disk0:/asdm-623.bin
asdm location Sharepoint 255.255.255.255 inside
asdm location A-69.74.205.229 255.255.255.255 inside
asdm location A-69.74.205.228 255.255.255.255 inside
asdm location A-69.74.205.231 255.255.255.255 inside
asdm location A-64.52.247.50 255.255.255.255 inside
asdm location TKO 255.255.255.255 inside
asdm location A-69.74.205.234 255.255.255.255 inside
asdm location A-69.74.205.235 255.255.255.255 inside
asdm location Google1 255.255.240.0 inside
asdm location Google2 255.255.252.0 inside
asdm location Google3 255.255.240.0 inside
asdm location Postini 255.255.252.0 inside
asdm location LA_Office 255.255.255.0 inside
asdm location SEAOffice 255.255.255.0 inside
asdm location NYEX1 255.255.255.255 inside
asdm location A-69.74.205.230 255.255.255.255 inside
asdm location A-192.168.3.15 255.255.255.255 inside
asdm location Kia_RDP_INT 255.255.255.255 inside
asdm location A-108.66.222.161 255.255.255.255 inside
asdm location Nick 255.255.255.255 inside
asdm location A-69.74.205.236 255.255.255.255 inside
asdm location A-69.74.205.237 255.255.255.255 inside
asdm location A-69.74.205.238 255.255.255.255 inside
asdm location ANALYZER 255.255.255.255 inside
asdm location 96.56.6.165 255.255.255.255 inside
asdm location SK 255.255.255.255 inside
no asdm history enable
0
 

Author Comment

by:Glocap
ID: 39202326
sorry, had an incomplete config in the previous messsage. please find below

: Saved
:
ASA Version 8.0(5)
!
hostname fw-glocap
domain-name glocap.com
enable password 0e53SZdxezxawxDG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 64.52.247.47 Sharepoint description Sharepoint
name 69.74.205.229 A-69.74.205.229 description Exchange
name 69.74.205.228 A-69.74.205.228 description Adam
name 69.74.205.231 A-69.74.205.231 description Archive
name 69.74.205.227 TKO description TKO
name 69.74.205.234 A-69.74.205.234 description Sharepoint
name 64.18.0.0 Google1
name 74.125.148.0 Google2
name 207.126.144.0 Google3
name 74.125.244.0 Postini
name 192.168.11.0 LA_Office description LA Office
name 192.168.12.0 SEAOffice
name 192.168.3.10 NYEX1 description NYEX1
name 64.52.247.50 A-64.52.247.50 description WSUS
name 69.74.205.235 A-69.74.205.235 description KIA
name 69.74.205.230 A-69.74.205.230 description WSUS-PrimaryISP
name 192.168.3.15 A-192.168.3.15 description Archive
name 192.168.3.210 Kia_RDP_INT
name 192.168.3.19 WSUS description WSUS
name 108.66.222.161 A-108.66.222.161 description LA WAN AT&T
name 69.74.205.236 A-69.74.205.236 description Nick
name 192.168.3.194 Nick description Nick
name 69.74.205.237 A-69.74.205.237 description SK
name 69.74.205.238 A-69.74.205.238 description SonicWALL Analyzer
name 192.168.3.9 ANALYZER description SonicWALL Analyzer
name 192.168.3.115 SK description SK
name 192.168.10.0 SFLan description SF  Lan
dns-guard
!
interface Ethernet0/0
 nameif BackupISP
 security-level 0
 ip address 64.52.247.34 255.255.255.224
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 no ip address
 ospf cost 10
!
interface Ethernet0/1.3
 vlan 3
 nameif inside3
 security-level 90
 ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0/1.20
 vlan 20
 nameif inside20
 security-level 20
 ip address 192.168.20.254 255.255.255.0
!
interface Ethernet0/1.30
 vlan 30
 nameif inside30
 security-level 30
 ip address 192.168.30.254 255.255.255.0
!
interface Ethernet0/1.40
 vlan 40
 nameif inside40
 security-level 40
 ip address 192.168.40.254 255.255.255.0
!
interface Ethernet0/1.50
 vlan 50
 nameif inside50
 security-level 50
 ip address 192.168.50.254 255.255.255.0
!
interface Ethernet0/1.60
 vlan 60
 nameif inside60
 security-level 60
 ip address 192.168.60.254 255.255.255.0
!
interface Ethernet0/1.70
 vlan 70
 nameif inside70
 security-level 70
 ip address 192.168.70.254 255.255.255.0
!
interface Ethernet0/1.80
 vlan 80
 nameif Inside80
 security-level 80
 ip address 192.168.80.254 255.255.255.0
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif PrimaryISP
 security-level 0
 ip address 69.74.205.226 255.255.255.240
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description LAN/STATE Failover Interface
 speed 100
 duplex full
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup BackupISP
dns domain-lookup inside3
dns domain-lookup inside70
dns server-group DefaultDNS
 name-server 8.8.4.4
 domain-name glocap.com
object-group service trusted-tcp tcp
 port-object eq telnet
 port-object eq 3389
 port-object eq https
 port-object eq 5101
 port-object eq 5023
 port-object eq pcanywhere-data
 port-object eq www
 port-object eq ssh
 port-object eq smtp
 port-object range 6720 6740
 port-object range 5900 5901
 port-object range 3668 3669
 port-object range ftp-data telnet
 port-object eq 2222
 port-object eq 5022
 port-object eq 6677
object-group service trusted-udp udp
 port-object eq pcanywhere-status
object-group service TKO tcp
 description Accounting Server
 port-object eq 9505
 port-object eq 9506
 port-object eq 8080
 port-object eq www
 port-object eq https
 port-object eq ssh
object-group service Timbuktu
 service-object tcp-udp eq 407
 service-object tcp range 1417 1420
object-group service VNC tcp
 port-object eq 5500
 port-object eq 5800
 port-object eq 5900
object-group service SSL tcp
 description SMTP
 port-object eq 587
 port-object eq 993
object-group network ExchangeServers
 network-object host 192.168.3.4
 network-object host 192.168.3.5
 network-object host 192.168.3.8
object-group service RDP tcp
 description RDP
 port-object eq 3389
object-group service n-mon
 description MessageLabs Monitoring
 service-object udp eq snmp
 service-object udp eq snmptrap
 service-object tcp eq www
 service-object tcp eq https
 service-object tcp eq ssh
object-group network ML-001
 network-object 117.120.16.0 255.255.248.0
 network-object 193.109.254.0 255.255.254.0
 network-object 194.106.220.0 255.255.254.0
 network-object 195.245.230.0 255.255.254.0
 network-object 216.82.240.0 255.255.240.0
 network-object 67.219.240.0 255.255.240.0
 network-object 85.158.136.0 255.255.248.0
 network-object 95.131.104.0 255.255.248.0
object-group network DM_INLINE_NETWORK_3
 network-object host 96.56.6.162
 network-object host 96.56.6.163
 network-object host 96.56.6.165
object-group service UDP_4500 udp
 port-object eq 4500
object-group service Secure_POP3 tcp
 port-object eq 995
object-group network DM_INLINE_NETWORK_1
 network-object host 96.56.6.162
 network-object host 96.56.6.163
 network-object host 96.56.6.165
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service KMS tcp
 description KMS
 port-object eq 1688
object-group service DM_INLINE_TCP_1 tcp
 group-object RDP
 port-object eq https
 group-object KMS
access-list outside_access_in extended deny icmp any any log errors inactive
access-list outside_access_in remark Pop Access for testjobs@glocap.com (Mark Z.)
access-list outside_access_in extended permit tcp 70.89.67.24 255.255.255.248 host 64.52.247.35 eq pop3 inactive
access-list outside_access_in remark Pop Access for testjobs@glocap.com (Mark Z.)
access-list outside_access_in extended permit tcp 207.7.135.0 255.255.255.0 host 64.52.247.35 eq pop3 inactive
access-list outside_access_in extended deny tcp any any eq pop3 log errors
access-list outside_access_in remark Adam Zoia RDP Access
access-list outside_access_in extended permit tcp any host 64.52.247.40 object-group RDP
access-list outside_access_in remark Exchange RDP access
access-list outside_access_in extended permit tcp any host 64.52.247.35 object-group RDP
access-list outside_access_in extended deny tcp any any object-group RDP log errors
access-list outside_access_in remark Exchange
access-list outside_access_in extended permit tcp Postini 255.255.252.0 host 64.52.247.35 eq smtp
access-list outside_access_in remark TKO Server - New Rule. Note: Check Linux IP Tables when change occurs.
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 64.52.247.60 eq ssh
access-list outside_access_in remark TKO Server
access-list outside_access_in extended permit tcp any host 64.52.247.60 object-group TKO
access-list outside_access_in extended permit tcp any any eq www inactive
access-list outside_access_in remark OWA/Activesync
access-list outside_access_in extended permit tcp any host 64.52.247.35 eq https
access-list outside_access_in remark Archive
access-list outside_access_in extended permit tcp any host 64.52.247.41 eq https
access-list outside_access_in remark Sharepoint access
access-list outside_access_in extended permit tcp any host Sharepoint eq www
access-list outside_access_in remark FTP
access-list outside_access_in extended permit tcp any host A-64.52.247.50 eq ftp inactive
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in extended permit tcp any host 64.52.247.35 eq 995 inactive
access-list outside_access_in extended permit icmp any any time-exceeded inactive
access-list outside_access_in extended permit icmp any any unreachable inactive
access-list outside_access_in extended permit icmp any any echo inactive
access-list outside_access_in extended permit icmp any any echo-reply inactive
access-list glocap.com_SplitTunnelACL remark LAN
access-list glocap.com_SplitTunnelACL standard permit 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0 inactive
access-list inside_nat0_outbound extended permit icmp any any inactive
access-list test extended permit ip host 64.52.247.34 host 64.52.247.33 inactive
access-list test extended permit ip host 64.52.247.33 host 64.52.247.34 inactive
access-list test extended permit ip host 64.52.247.34 any inactive
access-list test extended permit ip any host 64.52.247.34 inactive
access-list inside_access_in remark allow exchange server outbound
access-list inside_access_in extended permit tcp object-group ExchangeServers any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp 192.168.3.0 255.255.255.0 any
access-list inside_access_in remark blocking spam traffic on port 25
access-list inside_access_in extended deny tcp any any eq smtp log errors inactive
access-list inside_access_in extended deny tcp any any object-group RDP log errors inactive
access-list inside_access_in extended permit icmp any any
access-list capin extended permit tcp host 192.168.3.182 any eq www inactive
access-list capin extended permit tcp any eq www host 192.168.3.182 inactive
access-list capout extended permit tcp host 64.52.247.34 host 68.142.121.167 eq www inactive
access-list capout extended permit tcp host 68.142.121.167 eq www host 64.52.247.34 inactive
access-list backup_access_in extended deny tcp any any eq pop3 log errors
access-list backup_access_in remark Exchange
access-list backup_access_in extended permit tcp Postini 255.255.252.0 host A-69.74.205.229 eq smtp
access-list backup_access_in remark OWA/Activesync - Backup ISP
access-list backup_access_in extended permit tcp any host A-69.74.205.229 eq https
access-list backup_access_in remark Adam Zoia RDP Access - Backup ISP
access-list backup_access_in extended permit tcp any host A-69.74.205.228 object-group RDP
access-list backup_access_in remark Archive
access-list backup_access_in extended permit tcp any host A-69.74.205.231 object-group DM_INLINE_TCP_1
access-list backup_access_in remark Exchange RDP Access - Backup ISP
access-list backup_access_in extended permit tcp any host A-69.74.205.229 object-group RDP
access-list backup_access_in remark Communication with SonicWALL Analyzer
access-list backup_access_in extended permit udp any host A-69.74.205.238 eq syslog
access-list backup_access_in extended deny tcp any any object-group RDP log errors inactive
access-list backup_access_in remark TKO
access-list backup_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host TKO eq ssh
access-list backup_access_in remark TKO
access-list backup_access_in extended permit tcp any host TKO object-group TKO
access-list backup_access_in extended permit tcp any host A-69.74.205.235 eq ftp inactive
access-list backup_access_in remark Sharepoint
access-list backup_access_in extended permit object-group TCPUDP any host A-69.74.205.234 eq www
access-list backup_access_in extended permit icmp any any time-exceeded inactive
access-list backup_access_in extended permit icmp any any unreachable inactive
access-list backup_access_in extended permit icmp any any echo inactive
access-list backup_access_in extended permit icmp any any echo-reply inactive
access-list backup_access_in extended deny icmp any any log errors inactive
access-list backup_access_in extended permit tcp any host A-69.74.205.235 object-group RDP
access-list backup_access_in remark Nick RDP ACCESS
access-list backup_access_in extended permit tcp any host A-69.74.205.236 object-group RDP
access-list backup_access_in extended permit tcp any host A-69.74.205.237 object-group RDP
access-list nonatvpn extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonatvpn extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0
access-list nonatvpn extended permit ip 192.168.3.0 255.255.255.0 LA_Office 255.255.255.0
access-list nonatvpn extended permit ip 192.168.3.0 255.255.255.0 SEAOffice 255.255.255.0
access-list capt1 extended permit esp host 192.168.4.10 192.168.3.0 255.255.255.0 inactive
access-list inside3_cryptomap extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0
access-list inside3_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 LA_Office 255.255.255.0
access-list inside3_cryptomap_2 extended permit ip 192.168.3.0 255.255.255.0 SEAOffice 255.255.255.0
access-list inside3_cryptomap_3 extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0
access-list inside3_cryptomap_4 extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0
access-list inside3_cryptomap_5 extended permit ip 192.168.3.0 255.255.255.0 LA_Office 255.255.255.0
pager lines 24
logging enable
logging standby
logging buffer-size 100000
logging asdm-buffer-size 512
logging buffered critical
logging trap debugging
logging asdm warnings
logging mail critical
logging from-address alerts@glocap.com
logging recipient-address katial@glocap.com level critical
logging host inside 192.168.3.189
mtu BackupISP 1500
mtu inside 1500
mtu inside3 1500
mtu inside20 1500
mtu inside30 1500
mtu inside40 1500
mtu inside50 1500
mtu inside60 1500
mtu inside70 1500
mtu Inside80 1500
mtu PrimaryISP 1500
ip local pool VPN_Pool 192.168.4.10-192.168.4.200 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface inside3
no failover
failover lan unit secondary
failover lan interface xover Management0/0
failover key *****
failover replication http
failover link xover Management0/0
failover interface ip xover 192.168.10.1 255.255.255.252 standby 192.168.10.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (BackupISP) 101 interface
global (PrimaryISP) 101 interface
nat (inside3) 0 access-list nonatvpn
nat (inside3) 101 0.0.0.0 0.0.0.0
nat (inside20) 101 0.0.0.0 0.0.0.0
nat (inside30) 101 0.0.0.0 0.0.0.0
nat (inside40) 101 0.0.0.0 0.0.0.0
nat (inside50) 101 0.0.0.0 0.0.0.0
nat (inside60) 101 0.0.0.0 0.0.0.0
nat (inside70) 101 0.0.0.0 0.0.0.0
nat (Inside80) 101 0.0.0.0 0.0.0.0
static (inside3,BackupISP) Sharepoint 192.168.3.33 netmask 255.255.255.255
static (inside3,BackupISP) 64.52.247.35 NYEX1 netmask 255.255.255.255
static (inside3,BackupISP) 64.52.247.40 192.168.3.89 netmask 255.255.255.255
static (inside3,BackupISP) 64.52.247.60 192.168.3.12 netmask 255.255.255.255
static (inside3,BackupISP) 64.52.247.41 A-192.168.3.15 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.229 NYEX1 netmask 255.255.255.255
static (inside3,PrimaryISP) TKO 192.168.3.12 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.228 192.168.3.89 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.234 192.168.3.33 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.230 WSUS netmask 255.255.255.255
static (inside3,BackupISP) A-64.52.247.50 WSUS netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.231 A-192.168.3.15 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.235 Kia_RDP_INT netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.236 Nick netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.237 SK netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.238 ANALYZER netmask 255.255.255.255
access-group outside_access_in in interface BackupISP
access-group inside_access_in in interface inside3
access-group backup_access_in in interface PrimaryISP
route PrimaryISP 0.0.0.0 0.0.0.0 69.74.205.225 1 track 1
route BackupISP 0.0.0.0 0.0.0.0 64.52.247.33 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ECI protocol tacacs+
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization exec authentication-server
http server enable
http 192.168.3.0 255.255.255.0 inside3
http NYEX1 255.255.255.255 inside3
http 192.168.3.20 255.255.255.255 inside3
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server listen-port 1610
sla monitor 123
 type echo protocol ipIcmpEcho 167.206.7.4 interface PrimaryISP
sla monitor schedule 123 life forever start-time now
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface BackupISP
crypto map outside_map interface PrimaryISP
crypto map inside3_map 1 match address inside3_cryptomap
crypto map inside3_map 1 set peer 173.247.204.74
crypto map inside3_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 2 match address inside3_cryptomap_1
crypto map inside3_map 2 set peer 24.43.165.42
crypto map inside3_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 3 match address inside3_cryptomap_2
crypto map inside3_map 3 set peer 70.99.142.162
crypto map inside3_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 4 match address inside3_cryptomap_3
crypto map inside3_map 4 set peer 204.16.153.114
crypto map inside3_map 4 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 5 match address inside3_cryptomap_4
crypto map inside3_map 5 set peer 99.115.135.225
crypto map inside3_map 5 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 6 match address inside3_cryptomap_5
crypto map inside3_map 6 set peer A-108.66.222.161
crypto map inside3_map 6 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside3_map interface inside3
crypto isakmp enable BackupISP
crypto isakmp enable inside3
crypto isakmp enable PrimaryISP
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
!
track 1 rtr 123 reachability
no vpn-addr-assign dhcp
telnet 192.168.3.182 255.255.255.255 inside3
telnet SK 255.255.255.255 inside3
telnet 192.168.3.99 255.255.255.255 inside3
telnet timeout 25
ssh SK 255.255.255.255 inside3
ssh 192.168.3.130 255.255.255.255 inside3
ssh timeout 10
console timeout 0
management-access inside3
dhcpd dns 8.8.4.4 4.2.2.2
!
dhcpd address 192.168.70.100-192.168.70.150 inside70
dhcpd lease 86400 interface inside70
dhcpd option 4 ascii time.nist.gov interface inside70
dhcpd enable inside70
!
vpn load-balancing
 interface lbprivate inside3
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address SFLan 255.255.255.0
threat-detection scanning-threat shun except ip-address LA_Office 255.255.255.0
threat-detection scanning-threat shun except ip-address SEAOffice 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.3.113 255.255.255.255
threat-detection scanning-threat shun except ip-address 216.82.249.179 255.255.255.255
threat-detection scanning-threat shun except ip-address 216.82.249.211 255.255.255.255
threat-detection scanning-threat shun except ip-address 216.82.254.179 255.255.255.255
threat-detection scanning-threat shun except ip-address 64.52.247.35 255.255.255.255
threat-detection scanning-threat shun except object-group ML-001
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 198.123.30.132 source BackupISP prefer
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
group-policy glocap.com internal
group-policy glocap.com attributes
 dns-server value 192.168.3.4 192.168.3.18
 vpn-tunnel-protocol IPSec svc webvpn
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value glocap.com_SplitTunnelACL
 default-domain value glocap.com
username carpio password biwpDBSydzum/WPZ encrypted
username carpio attributes
 vpn-group-policy glocap.com
username Korb@glocap.com password z7mx4J4vEABRf.2W encrypted privilege 0
username Korb@glocap.com attributes
 vpn-group-policy glocap.com
username franklin password OdnbIuf5/H3mdqnF encrypted
username franklin attributes
 vpn-group-policy glocap.com
username admin password RhT7Oa3luNGYGwKl encrypted privilege 15
username admin attributes
 vpn-group-policy glocap.com
username zoia@glocap.com password iarvwww40jwB3oBf encrypted privilege 0
username zoia@glocap.com attributes
 vpn-group-policy glocap.com
username ctoffice password 3qpNN8u1sMkwQV2t encrypted
username ctoffice attributes
 vpn-group-policy glocap.com
 vpn-simultaneous-logins 3
 webvpn
  svc ask enable default svc
username enable_16 password sj2wkcWtN4dIfBl6 encrypted privilege 15
username song password ggyYwwJ2UNJMYF5L encrypted privilege 0
username song attributes
 vpn-group-policy glocap.com
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPN_Pool
 dhcp-server 192.168.3.4
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key *
tunnel-group glocap.com type remote-access
tunnel-group glocap.com general-attributes
 address-pool VPN_Pool
 default-group-policy glocap.com
tunnel-group glocap.com ipsec-attributes
 pre-shared-key *
tunnel-group 74.211.164.194 type ipsec-l2l
tunnel-group 74.211.164.194 ipsec-attributes
 pre-shared-key *
tunnel-group 24.43.165.42 type ipsec-l2l
tunnel-group 24.43.165.42 ipsec-attributes
 pre-shared-key *
tunnel-group 70.99.142.162 type ipsec-l2l
tunnel-group 70.99.142.162 ipsec-attributes
 pre-shared-key *
tunnel-group 173.247.204.74 type ipsec-l2l
tunnel-group 173.247.204.74 ipsec-attributes
 pre-shared-key *
tunnel-group 99.115.135.225 type ipsec-l2l
tunnel-group 99.115.135.225 ipsec-attributes
 pre-shared-key *
tunnel-group 108.66.222.161 type ipsec-l2l
tunnel-group 108.66.222.161 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect ipsec-pass-thru
  inspect icmp
!
service-policy global_policy global
smtp-server 192.168.3.10
prompt hostname context
Cryptochecksum:e8314d9e5e85d6bceed47bb2bfd117e5
: end
asdm image disk0:/asdm-623.bin
asdm location Sharepoint 255.255.255.255 inside
asdm location A-69.74.205.229 255.255.255.255 inside
asdm location A-69.74.205.228 255.255.255.255 inside
asdm location A-69.74.205.231 255.255.255.255 inside
asdm location A-64.52.247.50 255.255.255.255 inside
asdm location TKO 255.255.255.255 inside
asdm location A-69.74.205.234 255.255.255.255 inside
asdm location A-69.74.205.235 255.255.255.255 inside
asdm location Google1 255.255.240.0 inside
asdm location Google2 255.255.252.0 inside
asdm location Google3 255.255.240.0 inside
asdm location Postini 255.255.252.0 inside
asdm location LA_Office 255.255.255.0 inside
asdm location SEAOffice 255.255.255.0 inside
asdm location NYEX1 255.255.255.255 inside
asdm location A-69.74.205.230 255.255.255.255 inside
asdm location A-192.168.3.15 255.255.255.255 inside
asdm location Kia_RDP_INT 255.255.255.255 inside
asdm location A-108.66.222.161 255.255.255.255 inside
asdm location Nick 255.255.255.255 inside
asdm location A-69.74.205.236 255.255.255.255 inside
asdm location A-69.74.205.237 255.255.255.255 inside
asdm location A-69.74.205.238 255.255.255.255 inside
asdm location ANALYZER 255.255.255.255 inside
asdm location 96.56.6.165 255.255.255.255 inside
asdm location SK 255.255.255.255 inside
no asdm history enable
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39202410
right off hand I don't see anything.
0
 

Author Comment

by:Glocap
ID: 39202588
thanks so i will make the changes that  you suggested for the external interface.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 5

Expert Comment

by:aarie
ID: 39202967
Just out of curiosity, do your users by any chance also try to use the anyconnect client (e.g. from their mobile phones/tablets) to connect to the ASA? Even though your config doesn't seem to support it, it could be a reason for the tcp 443 connection attempts showing up (the anyconnect client uses ssl vpn which in turn uses both tcp (command channel) and udp (data channel) for its communication).
0
 

Author Comment

by:Glocap
ID: 39202972
should i also disable basic threat detection in the firewall as every time the asa denies tcp access , we experience internet drops in our internal lan?
0
 

Author Comment

by:Glocap
ID: 39203323
No our users dont connect to the asa through Vpn.

I ran the deny any to external interface of the asa command on ports 80 and 443 but its still the same.still having internet drops
0
 

Author Comment

by:Glocap
ID: 39204699
i ran the show asp command, if this helps in getting to a solution

Result of the command: "show asp drop"

Frame drop:
  Invalid encapsulation (invalid-encap)                                        7
  No valid adjacency (no-adjacency)                                        18937
  Flow is denied by configured rule (acl-drop)                             64921
  Invalid SPI (np-sp-invalid-spi)                                           1125
  First TCP packet not SYN (tcp-not-syn)                                   82906
  TCP failed 3 way handshake (tcp-3whs-failed)                               278
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                  117
  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                            55
  TCP RST/SYN in window (tcp-rst-syn-in-win)                                  25
  TCP packet failed PAWS test (tcp-paws-fail)                                 27
  IPSEC tunnel is down (ipsec-tun-down)                                      136
  Slowpath security checks failed (sp-security-failed)                         1
  DNS Inspect id not matched (inspect-dns-id-not-matched)                     10
  Interface is down (interface-down)                                          10
  Dropped pending packets in a closed socket (np-socket-closed)              391

Last clearing: Never

Flow drop:
  Tunnel being brought up or torn down (tunnel-pending)                       20
  Inspection failure (inspect-fail)                                           12

Last clearing: Never
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39204744
I really didn't think those commands would stop the drops since it was already blocking that traffic.  

What model of ASA is this?

Can you provide the results of running "sho ver |  inc Inside Hosts" without the quotes?
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39205009
Just was reviewing the Cisco alerts today and came across this:  

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa

May have nothing to do with the issue but thought I would let you know anyway.
0
 

Author Comment

by:Glocap
ID: 39205040
hi pony10us , we have asa version 8.0(5) and please find below the results of the command your requested

Result of the command: "sho ver |  inc Inside Hosts"

Inside Hosts                 : Unlimited

i also did a clear xlate also
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39205067
Instead of clear xlate try clear conn
0
 

Author Comment

by:Glocap
ID: 39205093
what does clear conn command do. can i do it during business hours without affecting internet ?

Also i unchecked the option --send reset reply for denied outside TCP packets (Under TCP Options )
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39205125
I would wait until after hours.  You can do a show conn to see the connections anytime.


clear conn

To clear a specific connection or multiple connections, use the clear conn command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses


Usage Guidelines

When the security appliance creates a pinhole to allow secondary connections, this is shown as an incomplete conn by the show conn command. To clear this incomplete conn use the clear conn command.
 
Examples

The following example shows all connections, and then clears the management connection between 10.10.10.108:4168 and 10.0.8.112:22:
 
hostname# show conn all
 
TCP mgmt 10.10.10.108:4168 NP Identity Ifc 10.0.8.112:22, idle 0:00:00, bytes 3084, flags
UOB
 

hostname# clear conn address 10.10.10.108 port 4168 address 10.0.8.112 port 22
0
 

Author Comment

by:Glocap
ID: 39205412
the disconnects have stopped now all of a sudden. Didn't make any more changes and seems stable. Don't know what fixed the issue?
0
 
LVL 26

Accepted Solution

by:
pony10us earned 500 total points
ID: 39205523
I would lean towards the "clear xlate".  I would watch it a little longer just to be sure it actually has stopped though.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now