ASA 5508 - Block IP addresses doing Proxy scans

tpennington — Mon, 20 Sep 2021 12:50:22 GMT

Over the past several months, I've noticed a lot of login attempts from Foreign IP addresses trying to log into my Exchange server. The server is fully patched but I would like to block these IP's at the firewall so that they simply can't try the login attempt.

I thought I had the correct Extended ACL created, but I can still see the IP's hitting my Exchange server log. Below are the ACL's I have, any suggestions are welcome.

access-list External-Verizon_access_in_1 extended permit tcp any object MAIL-SERVER eq smtp
access-list External-Verizon_access_in_1 extended permit tcp any object MAIL-SERVER eq pop3
access-list External-Verizon_access_in_1 extended permit tcp any object MAIL-SERVER eq 995
access-list External-Verizon_access_in_1 extended permit tcp any object MAIL-SERVER eq 587
access-list External-Verizon_access_in_1 extended permit tcp any object MAIL-SERVER eq 465
access-list External-Verizon_access_in_1 extended permit tcp any object MAIL-SERVER eq 993
access-list External-Verizon_access_in_1 extended permit tcp any object MAIL-SERVER eq https
access-list External-Verizon_access_in_1 extended permit tcp any object MAIL-SERVER eq www
access-list External-Verizon_access_in_1 extended deny tcp any object MAIL-SERVER eq ftp
access-list External-Verizon_access_in_1 extended permit tcp any object MAIL-SERVER eq smtp
access-list External-Verizon_access_in_1 extended permit tcp any object MAIL-SERVER eq www
access-list External-Verizon_access_in_1 extended permit tcp any object MAIL-SERVER eq https
access-list External-Verizon_access_in_1 extended deny icmp any any
access-list External-Verizon_access_in_1 extended deny tcp any any eq 3389 log
access-list External-Verizon_access_in_1 extended deny ip any any log

access-list BLOCK-IP-RANGES extended deny ip 207.180.212.0 255.255.255.0 any log
access-list BLOCK-IP-RANGES extended deny ip 87.246.7.0 255.255.255.0 any log
access-list BLOCK-IP-RANGES extended deny ip 5.188.206.0 255.255.255.0 any log

as you can see, I'm trying to block the entire 5.188.206.0/24 subnet but it doesn't appear to be working.

Thoughts?

Re: ASA 5508 - Block IP addresses doing Proxy scans

Rob Ingram — Mon, 20 Sep 2021 12:55:59 GMT

@tpennington

You can only attach 1 ACL to an interface in the same direction. So your ACL "External-Verizon_access_in_1" is the current ACL which is attached inbound on your outside interface, you'll need to add those IP networks to block in that ACL.

access-list External-Verizon_access_in_1 extended deny ip 207.180.212.0 255.255.255.0 any log
access-list External-Verizon_access_in_1 extended deny ip 87.246.7.0 255.255.255.0 any log
access-list External-Verizon_access_in_1 extended deny ip 5.188.206.0 255.255.255.0 any log

These rules will obviously need to be above the existing rules.

Re: ASA 5508 - Block IP addresses doing Proxy scans

tpennington — Mon, 20 Sep 2021 13:53:23 GMT

I was afraid of this. Thanks Rob!

Re: ASA 5508 - Block IP addresses doing Proxy scans

tpennington — Mon, 20 Sep 2021 13:59:20 GMT

Rob,

so what is the point of the Extended Access List then or is this a limitation/feature of the ASA?

topic Re: ASA 5508 - Block IP addresses doing Proxy scans in Network Security

ASA 5508 - Block IP addresses doing Proxy scans

Re: ASA 5508 - Block IP addresses doing Proxy scans

Re: ASA 5508 - Block IP addresses doing Proxy scans

Re: ASA 5508 - Block IP addresses doing Proxy scans