06-16-2020 12:44 PM - edited 06-17-2020 05:35 PM
I read up on this forum on how IPs should be blocked on our ASA 55xx firewall, and I added the following lines to the configuration:
access-list outside_access_in extended deny ip host 65.xxx.xxx.0 any
access-list outside_access_in extended deny ip host 51.xxx.xxx.0 any
Unfortunately, multiple requests from those IPs are still getting through to our Windows 2019 web server (I see these IPs constantly hitting the server, using PeerBlock v1.2). I would also like to learn how to block Denial of Service attacks using this device. I have enabled it through the ADSM, but am wondering if there are any specific settings that I should make.
My software version is as follows:
Cisco Adaptive Security Appliance Software Version 9.1(7)32
Device Manager Version 7.8(2)151
Compiled on Tue 04-Sep-18 08:37 by builders
System image file is "disk0:/asa917-32-k8.bin"
Config file at boot was "startup-config"
ciscoasa5540 up 299 days 20 hours
Hardware: ASA5540-K8, 2560 MB RAM, CPU Pentium 4 2000 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xfff00000, 1024KB
PLEASE do not delete this message as SPAM. I am a real person. Thank you!
Solved! Go to Solution.
06-18-2020 08:21 AM
With ACL entries, order of entry is important. Put the new entries at the top of the ACL to ensure that they get processed before the entry that already allows incoming incoming web traffic on 80 and 443. Otherwise the first match will allow the traffic and you never hit the deny entry.
06-17-2020 10:38 PM
If your ACL entries are really like the ones you cites (host entries with the address ending in 0) then they are incorrect.
They should be like this instead:
access-list outside_access_in extended deny ip 65.xxx.xxx.0 255.255.255.0 any
...to block subnets.
I'm assuming you've applied the ACL to your outside interface with an "access-group" command.
06-17-2020 10:48 PM
Hello Marvin,
Thank you very much for your reply. I just tried what you suggested, and it results in an error at the "any" keyword:
access-list outside_access_in extended deny ip host 65.xxx.xxx.0 255.255.255.0 a ^ny
ERROR: % Invalid input detected at '^' marker.
However, leaving out the subnet mask, results in no errors.
The access-group is defined as follows:
access-group outside_access_in in interface outside
Not sure what is going on.
06-18-2020 12:27 AM
Since you are specifying a network, please remove the host keyword as I noted in my example.
06-18-2020 07:09 AM
Hello Marvin,
The ASA took that, thank you, but the extremely heavy traffic from those IPs continues to flow in unabated.
show access-list
access-list outside_access_in line 41 extended deny ip 51.222.38.0 255.255.255.0 any (hitcnt=0) 0xc5c2835a
access-list outside_access_in line 42 extended deny ip 65.197.196.0 255.255.255.0 any (hitcnt=0) 0x5d5895d1
access-list outside_access_in line 43 extended deny ip 194.167.207.0 255.255.255.0 any (hitcnt=0) 0x38596bc4
How is this possible? I've never seen this happen before. They are all coming in on ports 80 or 443 (mostly 443), on a web server in the server farm. Their source ports are random high numbers, like 63658. I just don't understand how it's possible for them to somehow be getting around the ASA firewall.
06-18-2020 08:19 AM
I read up on using "shun", and tried some examples given here in the community, and received the following error:
ciscoasa5540(config)# shun 65.197.196.0 netmask 255.255.255.0
^
ERROR: % Invalid Hostname
ciscoasa5540(config)# shun 65.197.196.0 netmask 255.255.255.0
Any ideas? Thank you very much!
06-18-2020 08:21 AM
With ACL entries, order of entry is important. Put the new entries at the top of the ACL to ensure that they get processed before the entry that already allows incoming incoming web traffic on 80 and 443. Otherwise the first match will allow the traffic and you never hit the deny entry.
06-18-2020 08:37 AM
Hello Marvin,
I thought the same thing actually, but just wasn't 100% sure until you replied, and I also couldn't figure out how to get entries to the top in the CLI mode. So I went into the ASDM, and found the little "Move-Up" and "Move-Down" arrows at the top of the ACL filter list, and moved the rules to the top. Now it works!
access-list outside_access_in; 43 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended deny ip object MediaForce any (hitcnt=255) 0xe195f6cc
access-list outside_access_in line 1 extended deny ip 65.197.196.0 255.255.255.0 any (hitcnt=255) 0xe195f6c
Appears that I have a duplication, as an object that I setup. I'll work on eliminating the duplication. Many thanks! This was a bit of a touch one for me. I really appreciate it!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: