12-21-2012 08:53 PM - edited 03-11-2019 05:40 PM
I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.
The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent.
Does anyone have an example of how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing?
12-22-2012 06:04 AM
service resetoutside
command sets ASA to send TCP RST to denied traffic but it is disabled by default. That is, denied incoming packets are dropped silently by default.
12-22-2012 01:40 PM
Thanks for the tip Peter.
I was really hoping to find a solution using the service policy if possible so that I could tune the parameters on packets per second, source ip, etc and be more specific about how to block these attacks.
The end result would be to reset the connection, but, the logic around whether it should be reset or not is what I am interested in.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide