Pen test from outside the firewall

shalendra2 — Tue, 12 Mar 2019 08:16:54 GMT

Hi Team,

If somebody is trying to pen test from outside to inside network. In Cisco ASA which feature i have to enable to stop that. After enabling this, what event is generated and what is the message id for it.

Please suggest on this.

Regards,

Shalendra

Shalendra,

Pulkit Saxena — Sat, 17 Sep 2016 06:04:41 GMT

Shalendra,

Ideally the penetration test should fail as per the default behavior of the ASA itself.

Since outside interface is on the lowest security level, no packet should be allowed to go through unless it has been allowed in the ACL (also keeping NAT in mind).

Please check the ACL's that you have in inbound direction on the outside interface of the ASA.

In regards to the syslog's that you should be ideally seeing are :

Syslog message when there is no connection entry:

%ASA-6-106015: Deny TCP (no connection) from IP_address/port to
 IP_address/port flags tcp_flags on interface interface_name

Syslog message when the packet is denied by an ACL:

%ASA-4-106023: Deny protocol src [interface_name:source_address/source_port]
 dst interface_name:dest_address/dest_port by access_group acl_ID

Syslog message when there is no translation rule found:

%ASA-3-305005: No translation group found for protocol src interface_name:
 source_address/source_port dst interface_name:dest_address/dest_port

Syslog message when a packet is denied by Security Inspection:

%ASA-4-405104: H225 message received from outside_address/outside_port to
 inside_address/inside_port before SETUP

Syslog message when there is no route information:

%ASA-6-110003: Routing failed to locate next-hop for protocol from src
 interface:src IP/src port to dest interface:dest IP/dest port

Above mentioned are the most commonly seen syslog messages on a perimeter firewall when traffic is denied by the firewall.

Pulkit

topic Shalendra, in Network Security

Pen test from outside the firewall

Shalendra,