topic ASA 5510 Syn attacks in Network Security

ASA 5510 Syn attacks

Highnet_TSC — Tue, 12 Mar 2019 02:55:12 GMT

Hi All

Could anyone assist me help the above issuse, I had already created a discussion and was helped by

one of the community but could not resolve the issue.

I have attached a link in regards to carrying out troubleshooting with JouniForss but I could not resolve the fault

https://supportforums.cisco.com/thread/2245710 prevoiusly created discussion.

I have even rolled the asa config back to an earlier version which was allowing the partners site 62.233.82.181 on port 80 access and now it does not, if anyone has come across this issue and have resolved it could you please let me know.

Kind Regards.

ASA 5510 Syn attacks

Julio Carvajal — Wed, 23 Oct 2013 13:37:29 GMT

Hello Duncan,

Okey you provide us information ( a screenshoot even ) but what is the problem exactly?

Do you want to prevent DoS attacks? what are you looking for at this moment?

Regards

ASA 5510 Syn attacks

Highnet_TSC — Wed, 23 Oct 2013 15:42:51 GMT

Hi Julio

The problem is that our network connected to the ASA router on the inside, address range 192.168.254.0 /24 cannot

reach our partners site at 62.233.82.181 on port 80 connected on the outside.

This seems to be the only website that we cannot access everything else that is going through our ASA firewall is returning back this includes all other websites we visit.

What I would like to do is be able to setup a access rule or policy to resolve this as you can see from the screen shot, there is some sort of syn attack.

As I mentioned above we rolled back to an earlier config that was allowing as access to the partners web site but for some reason does not any more.

Regards

ASA 5510 Syn attacks

Julio Carvajal — Wed, 23 Oct 2013 19:16:18 GMT

Hello Duncan,

I now understand your issue,

Can you post or send me the configuration with the problem?

Regards,

Jcarvaja

follow me on http://laguiadelnetworking.com

ASA 5510 Syn attacks

jumora — Wed, 23 Oct 2013 20:23:19 GMT

I see how the ASA is reporting this and actually it could be related to the source not being able to receive a reply back from the destination thus reporting a SYN attack because all we see are SYN,SYN,SYN,SYN,SYN sent by the source 192.168.254.X address.

What I would ask of you would be the next:

I know that the packet tracer already indicates that it allows it through but we need to look at the phases that it is going through so please post the output.

I also need the output from a working network to the remote site, the reason I need this information would be for us to confirm that they are going out via the same IP and to confirm if there are any differences.

ASA 5510 Syn attacks

jumora — Wed, 23 Oct 2013 20:24:11 GMT

I mean a packet-tracer from the working network that resides behind the ASA.

ASA 5510 Syn attacks

jumora — Tue, 29 Oct 2013 01:09:58 GMT

Do you still need assistance, did any of the information given help you out?

ASA 5510 Syn attacks

jumora — Thu, 31 Oct 2013 17:52:19 GMT

Please update the ticket as resolved or answered so we can close out followup.

ASA 5510 Syn attacks

Highnet_TSC — Fri, 01 Nov 2013 09:00:52 GMT

HI Jumora

I have tried everything to rectify that I can think off, access-controls list creating class-maps policy maps, to include embryonic connections

turning off Basic threat detection. I have even connected straight into the ASA inside port that the network connects to and still cannot open or reach the partners site, but I can reach any other website on the network. Have also connected into the router which is the next hop after the ASA onto the internet and yes that does allow me to reach the partners site and open it in my web browser. So I am at a loss in trying to resolve this.

If you have any other suggestion Jumora I would be glad to hear them and try and put them into action if possible, as this is a working network down time is hard to arrange right away

Kind Regards.

ASA 5510 Syn attacks

jumora — Sun, 03 Nov 2013 02:56:03 GMT

OK, when you put the PC in front of the ASA what IP address do you dive it, why I want to know this is because if it is any address other than the IP address that we have for PAT on the ASA and is one of the addresses on the WAN side of the ASA I will change it from the PAT just to see if after we do this change you can reach the site.

ASA 5510 Syn attacks

Highnet_TSC — Mon, 04 Nov 2013 09:15:58 GMT

Hi Jumora

The IP address I give it is a private IP address, the strange thing is that I can reach all other sites while been plugged into the Inside on the ASA firewall, however I cannot reach the http://partners.highnet.com/login/ ip address 62.233.82.181 cannot figure this one out.

Regards

ASA 5510 Syn attacks

jumora — Mon, 04 Nov 2013 20:14:04 GMT

Ok, we can do two things here, one open up a TAC case if you have a contract and I can help you out or two you would need to send me the configuration and tell me what IP address you placed on the PC when it was able to reach the site when it was not behind the ASA so we can try to map that address to a PAT to see if then internal users are able to reach the site.

ASA 5510 Syn attacks

Highnet_TSC — Wed, 06 Nov 2013 10:58:42 GMT

Hi Jumora

Thanks for the details, we are now looking at setting up a smartnet account for our ASA routers and progress from there.

Thanks very much for your time and effort muct appreciated.

We can close this post.

Kind Regrads

ASA 5510 Syn attacks

jumora — Wed, 06 Nov 2013 17:28:32 GMT

Please rate the answer.

ASA 5510 Syn attacks

jumora — Wed, 06 Nov 2013 22:53:25 GMT

Please rate the assistance.

ASA 5510 Syn attacks

jumora — Thu, 14 Nov 2013 14:49:21 GMT

Please rate the assistance.