https://community.cisco.com/t5/network-security/static-nat-statement-allowed-ips-to-miss-a-potential-attack/m-p/2420882#M53164 <HTML><HEAD></HEAD><BODY><P>Thanks for your answer. that makes sense to me. </P></BODY></HTML> Tue, 24 Dec 2013 19:20:57 GMT misscat123 2013-12-24T19:20:57Z https://community.cisco.com/t5/network-security/static-nat-statement-allowed-ips-to-miss-a-potential-attack/m-p/2420880#M53159 <P>Hi,</P><P>I have a question about static nat statement and the IPS module. Customer says that there was a brute force attack against a server on port 3389 RDP.</P><P>The IPS did not report any attack in progress, nor does it show in history there was an attack.</P><P>I think because this statement was in the router: ip nat inside source static tcp x.x.x.x 3389 (external address x.x.x.x) 3389 extendable</P><P>that the IPS did not see any problem, and therefore the traffic was not classified as rogue. </P><P>Can anyone confirm this is why IPS did not alert on the traffic, or add your thoughts?</P><P>Every 2 minutes someone was trying to login to the server from the outside. Server logs alerted customer there was a problem.</P><P>Customer removed the statement from the router, and attack ceased.</P><P></P><P>we have </P><P>internet-&gt;3925 router-&gt;asa512 w/IPS module-&gt;inside lan</P><P></P><P>thank you</P> Sun, 10 Mar 2019 13:06:37 GMT https://community.cisco.com/t5/network-security/static-nat-statement-allowed-ips-to-miss-a-potential-attack/m-p/2420880#M53159 misscat123 2019-03-10T13:06:37Z https://community.cisco.com/t5/network-security/static-nat-statement-allowed-ips-to-miss-a-potential-attack/m-p/2420881#M53162 <HTML><HEAD></HEAD><BODY><P>The reason that the attack ceased when you remove the NAT is probably due to that no external access is possible any more without that NAT-statement.</P><P></P><P>The reason that you missed the attack on the IPS has two reasons:</P><P></P><P>1) To my knowledge there is no signature for failed logins to an RDP-service. So the IPS can't act on it.</P><P>2) If there had been a signature, the thresholds had to be quite tight for an attack that only happens every two minutes. That leads to higher false-positive rate or missed attacks if the thresholds are set higher.</P><P></P><P>Here it seems that your security is working as you have a second soource of input (your log-files).</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Thu, 19 Dec 2013 08:34:05 GMT https://community.cisco.com/t5/network-security/static-nat-statement-allowed-ips-to-miss-a-potential-attack/m-p/2420881#M53162 Karsten Iwen 2013-12-19T08:34:05Z https://community.cisco.com/t5/network-security/static-nat-statement-allowed-ips-to-miss-a-potential-attack/m-p/2420882#M53164 <HTML><HEAD></HEAD><BODY><P>Thanks for your answer. that makes sense to me. </P></BODY></HTML> Tue, 24 Dec 2013 19:20:57 GMT https://community.cisco.com/t5/network-security/static-nat-statement-allowed-ips-to-miss-a-potential-attack/m-p/2420882#M53164 misscat123 2013-12-24T19:20:57Z