CISCO ASA 5506 ASDM Firewall Settings / Block IPs
I manage an ASA 5506 firewall through ASDM, I don't have much experience with these so I have been figuring it out as I go. I have zero experience with command line configuration.
We use a monitoring service that lets us know when there is internal and external communication with know bad IP address. The usual coarse of action is to block the IP on the firewall incoming/outgoing interfaces.
I inherited this firewall with a Blacklist already in place with some IPs in it, I have been adding know bad IPs to the list to block them. I created my own outgoing rule referencing the same blacklist to block internal IPs from connection to these blacklisted IPs.
I keep getting the same alert for the same IP address that is already on my blacklist, multiple internal IPs are still connecting to this external blacklisted IP and it is connection back.
I'm at a loss here, I'm looking to find out if my rules are set up correctly. I'll attach pictures.
Examples of the alerts
Jul 18 2017 10:52:09: %ASA-6-302013: Built outbound TCP connection 4436965 for outside:104.20.15.243/80 (104.20.15.243/80) to inside:10.0.0.29/53560 (Public/53560)
Jul 18 2017 10:52:31: %ASA-6-302014: Teardown TCP connection 4436965 for outside:104.20.15.243/80 to inside:10.0.0.29/53560 duration 0:00:21 bytes 882 TCP FINs
Jul 18 18:02:59 [10.0.0.1] Jul 18 2017 10:52:09: %ASA-6-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from inside:10.0.0.29/53560 to outside:104.20.15.243/80 locally
Jul 18 2017 10:52:31: %ASA-6-302014: Teardown TCP connection 4436965 for outside:104.20.15.243/80 to inside:10.0.0.29/53560 duration 0:00:21 bytes 882 TCP FINs
PDA-outgoing-rule.PNG
PDA-incoming-rule.PNG
We use a monitoring service that lets us know when there is internal and external communication with know bad IP address. The usual coarse of action is to block the IP on the firewall incoming/outgoing interfaces.
I inherited this firewall with a Blacklist already in place with some IPs in it, I have been adding know bad IPs to the list to block them. I created my own outgoing rule referencing the same blacklist to block internal IPs from connection to these blacklisted IPs.
I keep getting the same alert for the same IP address that is already on my blacklist, multiple internal IPs are still connecting to this external blacklisted IP and it is connection back.
I'm at a loss here, I'm looking to find out if my rules are set up correctly. I'll attach pictures.
Examples of the alerts
Jul 18 2017 10:52:09: %ASA-6-302013: Built outbound TCP connection 4436965 for outside:104.20.15.243/80 (104.20.15.243/80) to inside:10.0.0.29/53560 (Public/53560)
Jul 18 2017 10:52:31: %ASA-6-302014: Teardown TCP connection 4436965 for outside:104.20.15.243/80 to inside:10.0.0.29/53560 duration 0:00:21 bytes 882 TCP FINs
Jul 18 18:02:59 [10.0.0.1] Jul 18 2017 10:52:09: %ASA-6-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from inside:10.0.0.29/53560 to outside:104.20.15.243/80 locally
Jul 18 2017 10:52:31: %ASA-6-302014: Teardown TCP connection 4436965 for outside:104.20.15.243/80 to inside:10.0.0.29/53560 duration 0:00:21 bytes 882 TCP FINs
PDA-outgoing-rule.PNG
PDA-incoming-rule.PNG
Looks like your traffic directions are backwards. In is into the ASA from the interface, and out is out of the interface from the ASA. Also I think your subnet mask might be wrong, If you want to cover the whole 10.x.x.x network the mask should be /8, not /24
ASKER
/24 is all we need
The rules seem to be working fine except for a few IPs we keep getting alerts on. They may be false positives.
The rules seem to be working fine except for a few IPs we keep getting alerts on. They may be false positives.
>> I have zero experience with command line configuration
I'm assuming you can logon at command line?
show run object-group id blacklist
Does this IP 104.20.15.243 appear in the list?
if not
conf t
object-group network blacklist
network-object host 104.20.15.243
exit
exit
clear xlate
wr mem
Pete
I'm assuming you can logon at command line?
show run object-group id blacklist
Does this IP 104.20.15.243 appear in the list?
if not
conf t
object-group network blacklist
network-object host 104.20.15.243
exit
exit
clear xlate
wr mem
Pete
ASKER
It appears the Blacklist is working at least half way. Internal addresses are still connecting to blacklisted IPs but they are not connecting back. I would still like to get the Internal to external list working.
ASKER
Pete, Did you mean you don't have experience with the GUI?
I don't have any command line experience but I can look it how to do that and try those commands. But it does appear the External to internal rules are working.
I don't have any command line experience but I can look it how to do that and try those commands. But it does appear the External to internal rules are working.
>>Pete, Did you mean you don't have experience with the GUI?
Sort of, I don't bother to learn it because the you learn how to do everything in the ASDM, Cisco move it all around and add remove things, and you've wasted your time. Command line rarely changes, and I can do at command line in 10 seconds wha tit would take you 15 minutes to do in the ASDM.
If you need to learn how to connect at command line see;
Connecting to and Managing Cisco Firewalls
pete
Sort of, I don't bother to learn it because the you learn how to do everything in the ASDM, Cisco move it all around and add remove things, and you've wasted your time. Command line rarely changes, and I can do at command line in 10 seconds wha tit would take you 15 minutes to do in the ASDM.
If you need to learn how to connect at command line see;
Connecting to and Managing Cisco Firewalls
pete
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.