Solved: Block Traffic from specific IP in ASA 5505

donacsa · ‎03-28-2013

Hi, we have an ASA 5505 in transparent mode and running a web service online. However, we notice a number of intrution attempts from China and Korea and we need to block traffic from those IP's can someone help please?

config script is

firewall transparent

hostname xxyyASA

enable password msi14F/SlH4ZLjHH encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description --- Connected to the Internet ---

switchport access vlan 2

!

interface Ethernet0/1

description --- Connected to LAN ---

!

interface Ethernet0/2

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

bridge-group 1

security-level 100

!

interface Vlan2

nameif outside

bridge-group 1

security-level 0

!

interface BVI1

description --- For Management only ---

ip address xxx.yyy.zzz.uuu 255.255.xxx.yyy

!

ftp mode passive

object network WWW-SERVER-OBJ

host xxx.yyy.zzz.jjj

description --- The WEB server ----

object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp

description --- Services published on WEB server ----

object-group service WWW-SERVER-SERVICES-UDP-OBJ udp

description --- Services UDP published on WEB server ----

port-object range 221 225

port-object range 1719 1740

access-list OUTSIDE-IN-ACL extended deny tcp any any eq 3306

access-list OUTSIDE-IN-ACL extended deny tcp any any eq telnet

access-list OUTSIDE-IN-ACL extended permit icmp any any

access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ

access-list OUTSIDE-IN-ACL extended permit tcp host xxx.yyy.zzz.uuu object WWW-SERVER-OBJ eq 3306

access-list OUTSIDE-IN-ACL extended permit udp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ

We need to block access from host say 64.15.152.208

Just need the best step to follow and block the access without any impact on the service or other host

Thank you

James Leinweber · ‎03-29-2013

Insert a line like:

access-list OUTSIDE-IN-ACL extended deny ip host 64.15.152.208 any

in front of your 3rd line "... permit icmp any any".

If you are going to have a lot of these, maybe do:

object-group network BLACKLIST

network-object host 64.15.152.208

network-object host another.bad.ip.here

network-object entire.dubious.subnet.here 255.255.255.0

...

access-list OUTSIDE-IN-ACL extended deny ip object-group BLACKLIST any

If you want to factor in outside reputation scores, or the blacklist changes a lot, you might look into the Cisco ASA IPS module.

Note that shunning bad hosts helps with targetted attacks, but not with denial-of-service; it just moves the deny point from the application server to the firewall, without much effect on net bandwidth consumption on your uplink.

-- Jim Leinweber, WI State Lab of Hygiene

View solution in original post

James Leinweber · ‎03-29-2013

Insert a line like:

access-list OUTSIDE-IN-ACL extended deny ip host 64.15.152.208 any

in front of your 3rd line "... permit icmp any any".

If you are going to have a lot of these, maybe do:

object-group network BLACKLIST

network-object host 64.15.152.208

network-object host another.bad.ip.here

network-object entire.dubious.subnet.here 255.255.255.0

...

access-list OUTSIDE-IN-ACL extended deny ip object-group BLACKLIST any

If you want to factor in outside reputation scores, or the blacklist changes a lot, you might look into the Cisco ASA IPS module.

Note that shunning bad hosts helps with targetted attacks, but not with denial-of-service; it just moves the deny point from the application server to the firewall, without much effect on net bandwidth consumption on your uplink.

-- Jim Leinweber, WI State Lab of Hygiene

donacsa · ‎04-16-2013

Thanks James.This worked but now I start getting thousands of failed logon attempts from different sources and its based on RDP. We will like to restrict RDP to say two IP addresses and block it from everywhere else.

The running config looks like this(see below).Looking to have rdp access from two hosts say 188.199.200.201 and another host say 111.222.123.211. Where do add the line and what should the command be?

ASA Version 8.4(4)5

!

firewall transparent

hostname MyASA

enable password msi14F/SlH4ZLjHH encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description --- Connected to the Internet ---

switchport access vlan 2

!

interface Ethernet0/1

description --- Connected to LAN ---

!

interface Ethernet0/2

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

!

interface Ethernet0/5

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

bridge-group 1

security-level 100

!

interface Vlan2

nameif outside

bridge-group 1

security-level 0

!

interface BVI1

description --- For Management only ---

ip address xxx.yyy.zzz.jjj 255.255.255.xxx

!

ftp mode passive

object network WWW-SERVER-OBJ

host www.xxx.yyy.zzz

description --- The WEB server ----

object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp

description --- Services published on WEB server ----

port-object eq www

port-object eq https

port-object eq telnet

port-object range 221 225

port-object eq 3306

port-object eq 3389

port-object range 1719 1740

port-object eq 5098

|

port-object eq 5089

port-object eq 5090

object-group service WWW-SERVER-SERVICES-UDP-OBJ udp

description --- Services UDP published on WEB server ----

port-object range 221 225

port-object range 1719 1740

port-object eq 9293

|

port-object eq 20235

port-object range 20000 60000

|

port-object eq 5090

object-group network BLACKLIST

network-object host xx.yyy.zzz.www

network-object host another bad IP

network-object xx.yyy.0.0 255.255.0.0

access-list OUTSIDE-IN-ACL extended deny icmp any any

access-list OUTSIDE-IN-ACL extended deny tcp any any eq telnet

access-list OUTSIDE-IN-ACL extended deny ip host vvv.xxx.yyy.zzz any

access-list OUTSIDE-IN-ACL extended deny ip host another_bad_ip any

access-list OUTSIDE-IN-ACL extended permit icmp any any

access-list OUTSIDE-IN-ACL extended deny tcp any any eq 3306

access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ

access-list OUTSIDE-IN-ACL extended permit tcp host uuu.yyy.xxx.zzz object WWW-SERVER-OBJ eq 3306

access-list OUTSIDE-IN-ACL extended permit udp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ

access-list OUTSIDE-IN-ACL extended deny ip object-group BLACKLIST any

James Leinweber · ‎04-16-2013

That's quite a range of ports you are allowing the whole planet to access in your WWW-SERVER-SERVICES-* objects.

If you want to restrict RDP then you need to allow it from the desired addresses, and block it from everywhere else. Remember, the first matching rule wins. So something like:

object-group network RDP-OK

description hosts allowed to make microsoft RDP connections

network-object host 188.199.200.201

network-object host 111.222.123.211

Somewhere prior to you WWW-SERVER-OBJ rule put

access-list OUTSIDE-IN-ACL extended permit tcp object-group RDP-OK any eq 3389

access-list OUTSIDE-IN-ACL extended deny tcp any any eq 3389

Note that your early "deny icmp any any" rule makes the later "permit icmp any any" moot, and disallows too much ICMP traffic for proper network operations. Publicly accessible servers should be allowing icmp ech-request inbound, and probably also destination-unreachable and a few other errors.

The early "deny tcp any any eq telnet" means that the inclusion of "port-object eq telnet" in your

WWW-SERVER-SERVICES-TCP-OBJ object is useless. Similarly, if you add earlier rules for port 3398/tcp, you can take that out of the service object too.

-- Jim Leinweber, WI State Lab of Hygiene