topic Re: without IPS block malicious VPN traffic hitting to cisco ASA in Network Security

without IPS block malicious VPN traffic hitting to cisco ASA

anilkumar.cisco — Tue, 08 Jun 2021 12:05:43 GMT

Hello Team,

We have ASA5525, without IPS enabled, it is used mainly for anyconnect VPN.. and we are suspecting hitting of malicious traffic on VPN from outside.

How we can block this on outside interface if i know the malicious traffic source IP.

Any idea or expert advise. I don't have IPS in my environment.

Best Regards

Anil Singh

Re: without IPS block malicious VPN traffic hitting to cisco ASA

Rob Ingram — Tue, 08 Jun 2021 12:11:29 GMT

@anilkumar.cisco

You can use a control-plane ACL on the ASA, this will permit/deny traffic from known source destined "to" the ASA itself.

Use a normal ACL permitting/denying traffic and then define the access-group but append "control-plane" at the end.

access-group CPLANE in interface OUTSIDE control-plane

HTH

Re: without IPS block malicious VPN traffic hitting to cisco ASA

anilkumar.cisco — Tue, 08 Jun 2021 12:50:22 GMT

I am little bit bothered about this ACL..

Hope it will not impact to normal traffic or VPN traffic.. and stopped the anyconnect hack attempts.

I am looking for the config that will drop all traffic to all services on the firewalls outside interface – including all VPN / anyconnect traffic – if its in a denied object-group it will get dropped to the outside and AnyConnect.

What is your opinion on the below two solution

Can we also shun the ip’s manually to block them accessing ASA, as per below link

Ref link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html#anc0

what about botnet traffic

Kindly advise.

Best Regards

Anil Singh

Re: without IPS block malicious VPN traffic hitting to cisco ASA

Rob Ingram — Tue, 08 Jun 2021 13:24:51 GMT

The control-plane ACL would block/permit traffic "to" the ASA itself, so yes it will control VPN (anyconnect) traffic, was that not your intention?

Normal traffic, which is traffic "through" the ASA, such as outbound internet acess from inside hosts will not be affected by the control-plane ACL. A normal interface or global ACL would control traffic "through" the ASA, inbound or outbound.

Re: without IPS block malicious VPN traffic hitting to cisco ASA

anilkumar.cisco — Tue, 08 Jun 2021 13:34:48 GMT

Yes.. that was my intention.. thanks for clarifying that..

Just want to understand, how shun the IP manually or botnet traffic could be used here..

Best Regard

Anil Singh

Re: without IPS block malicious VPN traffic hitting to cisco ASA

Rob Ingram — Tue, 08 Jun 2021 13:39:50 GMT

It's used to stop attacks before they reach the internal network infrastructure....so traffic "through" the ASA, not "to" the ASA which is a VPN. So the control-plane ACL would meet your requirements.

Another option is put an ACL inbound on the upstream router blocking the malicous IP addresses and permit all other.

Re: without IPS block malicious VPN traffic hitting to cisco ASA

anilkumar.cisco — Tue, 08 Jun 2021 13:55:26 GMT

so if by mistake, legitimate IP will be added in CPLANE ACL, then it cannot be able to established VPN tunnet via Annyconnect.. correct..

so this way we can also confirm, that our CPLANE ACL are working perfectly..

Re: without IPS block malicious VPN traffic hitting to cisco ASA

Rob Ingram — Tue, 08 Jun 2021 13:59:55 GMT

Yes.

Re: without IPS block malicious VPN traffic hitting to cisco ASA

anilkumar.cisco — Thu, 10 Jun 2021 08:51:46 GMT

I appreciate your response, Thanks very much!!