Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3220
Views
0
Helpful
4
Replies

How to block connections from source IPs with Tor exit nodes to our file server sitting in the DMZ of our ASA 5525

Go to solution
alainmlb
Level 1
Level 1

‎03-09-2020 09:31 AM

Hi,

I have a file server that is in the DMZ of my ASA5525 firewall. We are getting numerous successful connections from source IPs with Tor exit nodes to our file server and we'd like to block that traffic if possible. I'm told one way to block this traffic is to manually block every IP, but these IP are dynamic so they will always be changing.

 

Then I'm also told a better way to handle it is if our ASA5525 has a Tor settings (determine whether or not Tor Node is in use) to block this type of traffic.

 

My question is how can block this traffic if my firewall does not have Tor settings? I checked, probably not the correct way, but I didn't see any Tor setting.

 

Also, I read that I would need to have a Cisco FirePower module installed on my ASA in order to have and make use of Tor settings.

 

I'm almost certain we don't have a Cisco FirePower module installed on our ASA5525.

 

Please advise!

Thank you

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni
In response to alainmlb

‎03-09-2020 12:31 PM

here this document is very similar to what issue with SFR you having. however better get firepower subscription. however you get 90 day trail for free.

please do not forget to rate.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni

‎03-09-2020 10:49 AM

There is no quick fix i am afraid. what if you create a access-list and block them and later TOR change its ip address and start agiain than you have to do it again write the access-list and so on.

 

firepower is a good point to start. to check if you ASA have a sfr (firepower sensor) give this command.

!

show module sfr

!

would be better if you are enterprise company than get a layer7 packet inspection instead of having a ASA only at layer 4.

please do not forget to rate.
0 Helpful

Go to solution
alainmlb
Level 1
Level 1
In response to Sheraz.Salim

‎03-09-2020 11:47 AM

Thank you Sheraz for your quick response.

 

I've checked my ASA for the sfr module and the result is not promising. See sanitized output below:

 

ASA2# sh module sfr

 

Mod  Card Type                                    Model              Serial No.

---- -------------------------------------------- ------------------ -----------

sfr Unknown                                      N/A                FCH19......

 

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version

---- --------------------------------- ------------ ------------ ---------------

sfr 70e4.xxxx.xxxx to 70e4.xxxx.xxxx  N/A          N/A

 

Mod  SSM Application Name           Status           SSM Application Version

---- ------------------------------ ---------------- --------------------------

sfr Unknown                        No Image Present Not Applicable

 

Mod  Status             Data Plane Status     Compatibility

---- ------------------ --------------------- -------------

sfr Unresponsive       Not Applicable

0 Helpful

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni
In response to alainmlb

‎03-09-2020 12:31 PM

here this document is very similar to what issue with SFR you having. however better get firepower subscription. however you get 90 day trail for free.

please do not forget to rate.
0 Helpful

Go to solution
alainmlb
Level 1
Level 1
In response to Sheraz.Salim

‎03-09-2020 01:57 PM

Thank you Sheraz for your input. We will look into getting firepower subscription.

 

Regards!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card