https://community.cisco.com/t5/network-security/blocking-shunning-hosts-with-service-policy-rules/m-p/2088087#M393834 <P>I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.</P><P></P><P>The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.</P><P></P><P>In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent.</P><P></P><P>Does anyone have an example of how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing?&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Tue, 12 Mar 2019 00:40:05 GMT victorr001 2019-03-12T00:40:05Z https://community.cisco.com/t5/network-security/blocking-shunning-hosts-with-service-policy-rules/m-p/2088087#M393834 <P>I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.</P><P></P><P>The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.</P><P></P><P>In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent.</P><P></P><P>Does anyone have an example of how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing?&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Tue, 12 Mar 2019 00:40:05 GMT https://community.cisco.com/t5/network-security/blocking-shunning-hosts-with-service-policy-rules/m-p/2088087#M393834 victorr001 2019-03-12T00:40:05Z https://community.cisco.com/t5/network-security/blocking-shunning-hosts-with-service-policy-rules/m-p/2088088#M393835 <HTML><HEAD></HEAD><BODY><PRE><STRONG>service resetoutside</STRONG></PRE><P></P><P>command sets ASA to send TCP RST to denied traffic but it is disabled by default. That is, denied incoming packets are dropped silently by default.</P></BODY></HTML> Sat, 22 Dec 2012 14:04:35 GMT https://community.cisco.com/t5/network-security/blocking-shunning-hosts-with-service-policy-rules/m-p/2088088#M393835 Peter Koltl 2012-12-22T14:04:35Z https://community.cisco.com/t5/network-security/blocking-shunning-hosts-with-service-policy-rules/m-p/2088089#M393836 <HTML><HEAD></HEAD><BODY><P> Thanks for the tip Peter.</P><P></P><P>I was really hoping to find a solution using the service policy if possible so that I could tune the parameters on packets per second, source ip, etc and be more specific about how to block these attacks.</P><P></P><P>The end result would be to reset the connection, but, the logic around whether it should be reset or not is what I am interested in.</P></BODY></HTML> Sat, 22 Dec 2012 21:40:41 GMT https://community.cisco.com/t5/network-security/blocking-shunning-hosts-with-service-policy-rules/m-p/2088089#M393836 victorr001 2012-12-22T21:40:41Z