external IPs getting into our FWSM local-host table

apouncey · ‎03-18-2010

We are running an FWSM - version 4.0(4) - for our campus firewall. Somehow, there are external IPs getting into the local-host table on the inside of our firewall. This, of course, is preventing us from getting to those IPs. Some of these IPs are sites that we really need to get to for business purposes (related off-campus research). Whenever we get a complaint about not being able to get to one of these particular sites, the first thing I do is look in the local-host table and, sure enough, it's in there. I clear it out and that solves the problem until it shows up in the table next time.

This sounds like a serious and subversive DOS attack possibility to me. Why does the firewall allow external IPs in the local-host table in the first place? How can we prevent external IPs from getting in the local-host table?

We are not running any NAT through the firewall.

TIA,

Alton R. Pouncey, II

Federico Coto Fajardo · ‎03-18-2010

Hi,

An easy way will be filtering by ACLs.

For example:

On the inside interface have an ACL that allow only traffic from the real inside network.

If the inside network is 10.1.1.0/24, then the inside ACL should permit traffic from only that network.

This will not allow the Firewall to create local hosts entries for other IPs not belonging to the real inside network, as they are not going to be allowed to establish connections through the Firewall.

This is a way to prevent having problems accesing the sites. Obviously is a good idea as well to trace the source of the problem to fix it.

Federico.