Solved: ASA 5540 IP Blocking Question

beatinger · ‎06-16-2020

I read up on this forum on how IPs should be blocked on our ASA 55xx firewall, and I added the following lines to the configuration:

access-list outside_access_in extended deny ip host 65.xxx.xxx.0 any
access-list outside_access_in extended deny ip host 51.xxx.xxx.0 any

Unfortunately, multiple requests from those IPs are still getting through to our Windows 2019 web server (I see these IPs constantly hitting the server, using PeerBlock v1.2). I would also like to learn how to block Denial of Service attacks using this device. I have enabled it through the ADSM, but am wondering if there are any specific settings that I should make.

My software version is as follows:

Cisco Adaptive Security Appliance Software Version 9.1(7)32
Device Manager Version 7.8(2)151

Compiled on Tue 04-Sep-18 08:37 by builders
System image file is "disk0:/asa917-32-k8.bin"
Config file at boot was "startup-config"

ciscoasa5540 up 299 days 20 hours

Hardware: ASA5540-K8, 2560 MB RAM, CPU Pentium 4 2000 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xfff00000, 1024KB

PLEASE do not delete this message as SPAM. I am a real person. Thank you!

Marvin Rhoads · ‎06-18-2020

With ACL entries, order of entry is important. Put the new entries at the top of the ACL to ensure that they get processed before the entry that already allows incoming incoming web traffic on 80 and 443. Otherwise the first match will allow the traffic and you never hit the deny entry.

View solution in original post

Marvin Rhoads · ‎06-17-2020

If your ACL entries are really like the ones you cites (host entries with the address ending in 0) then they are incorrect.

They should be like this instead:

access-list outside_access_in extended deny ip 65.xxx.xxx.0 255.255.255.0 any

...to block subnets.

I'm assuming you've applied the ACL to your outside interface with an "access-group" command.

beatinger · ‎06-17-2020

Hello Marvin,

Thank you very much for your reply. I just tried what you suggested, and it results in an error at the "any" keyword:

access-list outside_access_in extended deny ip host 65.xxx.xxx.0 255.255.255.0 a ^ny

ERROR: % Invalid input detected at '^' marker.

However, leaving out the subnet mask, results in no errors.

The access-group is defined as follows:

access-group outside_access_in in interface outside

Not sure what is going on.

Marvin Rhoads · ‎06-18-2020

Since you are specifying a network, please remove the host keyword as I noted in my example.

beatinger · ‎06-18-2020

Hello Marvin,

The ASA took that, thank you, but the extremely heavy traffic from those IPs continues to flow in unabated.

show access-list

access-list outside_access_in line 41 extended deny ip 51.222.38.0 255.255.255.0 any (hitcnt=0) 0xc5c2835a
access-list outside_access_in line 42 extended deny ip 65.197.196.0 255.255.255.0 any (hitcnt=0) 0x5d5895d1
access-list outside_access_in line 43 extended deny ip 194.167.207.0 255.255.255.0 any (hitcnt=0) 0x38596bc4

How is this possible? I've never seen this happen before. They are all coming in on ports 80 or 443 (mostly 443), on a web server in the server farm. Their source ports are random high numbers, like 63658. I just don't understand how it's possible for them to somehow be getting around the ASA firewall.

beatinger · ‎06-18-2020

I read up on using "shun", and tried some examples given here in the community, and received the following error:

ciscoasa5540(config)# shun 65.197.196.0 netmask 255.255.255.0
^
ERROR: % Invalid Hostname
ciscoasa5540(config)# shun 65.197.196.0 netmask 255.255.255.0

Any ideas? Thank you very much!

Marvin Rhoads · ‎06-18-2020

With ACL entries, order of entry is important. Put the new entries at the top of the ACL to ensure that they get processed before the entry that already allows incoming incoming web traffic on 80 and 443. Otherwise the first match will allow the traffic and you never hit the deny entry.

beatinger · ‎06-18-2020

Hello Marvin,

I thought the same thing actually, but just wasn't 100% sure until you replied, and I also couldn't figure out how to get entries to the top in the CLI mode. So I went into the ASDM, and found the little "Move-Up" and "Move-Down" arrows at the top of the ACL filter list, and moved the rules to the top. Now it works!

access-list outside_access_in; 43 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended deny ip object MediaForce any (hitcnt=255) 0xe195f6cc
access-list outside_access_in line 1 extended deny ip 65.197.196.0 255.255.255.0 any (hitcnt=255) 0xe195f6c

Appears that I have a duplication, as an object that I setup. I'll work on eliminating the duplication. Many thanks! This was a bit of a touch one for me. I really appreciate it!