Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4042
Views
2
Helpful
17
Replies

Block specific IP's from attempting to establish an SSLVPN connection

irbk
Level 1
Level 1

‎06-09-2023 06:01 AM

Logged into my ASA this AM and I'm seeing a ton of "authentication rejected" warnings coming across from 3 different IP's.  Seems like someone trying to brute force SSLVPN.  I want to block these IP's from even being able to connect to my ASA (which is a 5525 if it makes any difference).  It doesn't seem like there is a straightforward way to block them because the VPN terminates on the ASA itself.  What's the best way to block this attack while still allowing legitimate SSLVPN connections?

Thanks

0 Helpful
17 Replies 17

MHM Cisco World
VIP
VIP

‎06-09-2023 06:03 AM

If these user use same public ip' then use acl control plane apply to outside with IN direction

This will prevent these user to try sslvpn to asa.

0 Helpful

Rob Ingram
VIP
VIP

‎06-09-2023 06:04 AM

@irbk from the ASA itself you can use a control-plane ACL to restrict those IP addresses and permit other VPN connections..

Or block those IP addresses on an ACL on the upstream ISP router.

0 Helpful

irbk
Level 1
Level 1
In response to Rob Ingram

‎06-09-2023 06:07 AM

I'm a bit hesitant to do that as I don't want to accidently block all incoming traffic.  My ASA is in a remote datacenter so if I flub up a command, I can't lay hands on it to fix it.  2 questions, is it possible to do in the ASDM?  What might the rule look like if I had an object group called "BlackListedIPs"?   

0 Helpful

Rob Ingram
VIP
VIP
In response to irbk

‎06-09-2023 06:13 AM

@irbk connections "through" the ASA do not apply as they are controlled via a normal interface ACL and SSH/ASDM connections "to" the box are controlled separately to an ACL applied to an interface.

Here is an example from the CLI.

062621_1101_ftdcontrolp4.png

Notice the access-group has control-plane appended to the end to signify it's used by the control plane.

0 Helpful

irbk
Level 1
Level 1
In response to Rob Ingram

‎06-09-2023 06:15 AM

How about something like

shun 179.60.149.83

That will block the IP for some period of time with out the chance of breaking anything else?

0 Helpful

MHM Cisco World
VIP
VIP
In response to irbk

‎06-09-2023 06:18 AM - edited ‎06-09-2023 06:19 AM

To be more tune your access list use deny (ip of host) any tcp port 443 in acl and permit any any 

Then apply it to outside directions IN with keyword control plane 

0 Helpful

irbk
Level 1
Level 1

‎06-09-2023 06:38 AM

I was able to block the connections (there were only 4 IP's banging the ASA then another 2 once I blocked the original 4) using SHUN which is all I needed to do.  I'm sorry but the control-plane access list just scares me.

Rob Ingram
VIP
VIP
In response to irbk

‎06-09-2023 06:42 AM

@irbk no worries, shun will work. Note that the shun configuration is not displayed in the ASA configuration.

FYI, you'd not lock yourself out via SSH/ASDM as these are control independantly from an normal interface ACL and the control plane ACL.

0 Helpful

irbk
Level 1
Level 1
In response to Rob Ingram

‎06-09-2023 06:48 AM

@Rob Ingram yeah, thanks.  I'm aware that SHUN isn't displayed in the ASDM and also it doesn't survive a router reboot I believe?  I'm not super sure if "shun 179.60.149.83" will only block it for 15 min or until I either remove it or reboot the ASA.  I think if you use the "threat detection" within the ASA itself, by default, it only SHUNs for like 15 min.  I'm not sure if I put in a manual command if that will stay persistent.  It's been 20ish minutes now and I'm not seeing the connection attempts come back, so either the SHUN lasts longer than 15 min or the bot/script kiddie moved onto a different IP

0 Helpful

MHM Cisco World
VIP
VIP
In response to irbk

‎06-09-2023 06:59 AM

I'm not super sure if "shun 179.60.149.83" will only block it for 15 min or until I either remove it or reboot the ASA
you need manual no shun to remove it, there no timeout for this command
https://www.networkstraining.com/block-attacks-with-a-cisco-asa-firewall-and-ids-using-the-shun-command/

0 Helpful

irbk
Level 1
Level 1
In response to MHM Cisco World

‎06-09-2023 07:07 AM

Oh sweet!  Thanks @MHM Cisco World 

0 Helpful

irbk
Level 1
Level 1
In response to Rob Ingram

‎06-09-2023 06:56 AM

Out of curiosity, is there a place within the ASDM to do the control-plane blocking or is that CLI only?

0 Helpful

Rob Ingram
VIP
VIP
In response to irbk

‎06-09-2023 07:13 AM

@irbk yes you can configure control plane ACLs in ASDM.

Step 1

Choose Configuration > Device Management > Management Access > Management Access Rules.

The rules are organized by interface. Each group is equivalent to the extended ACL that is created and assigned to the interface as a control plane ACL. These ACLs also appear on the Access Rules and ACL Manager pages.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/asdm719/firewall/asdm-719-firewall-config/access-rules.html?bookSearch=true

 

irbk
Level 1
Level 1
In response to Rob Ingram

‎06-09-2023 07:21 AM

Ok, I *thought* that might be it.  Right now, I have no rules in there.  If I were to create 1 rule to block traffic, would I also have to create a 2nd "any/any" rule to allow all the other traffic?  I'm assuming there is the usual "deny any" that would take effect if I put a rule in here?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card