02-07-2014 09:09 AM - edited 03-10-2019 06:08 AM
Back when I was using Microsoft ISA I was able to setup rules that would (permanently) block a host exhibiting certain behaviour. I am trying to achieve the same using a Cisco ASA IPS.
We have certain special ports open on IP addresses but the common attack ports (22, 3389...) are blocked. I would liek to setup a rule where a host is immediatelly shunned when they try to hit such a port so that the host cannot even proceed to the open ports. To me anyone trying to access these ports is up to no good and should be blocked.
Is there any way to do this on Cisco ASA?
02-08-2014 09:11 PM
Hello Paul,
Yes, you can do it..
1. Create an access-list with the source subnet/host along with ports you want to take care of.
2. Call that access-list in class-map
3. Call this class-map in policy-map and give the command ips promiscuous fail-open/fail-close.
4. Apply policy-map on particular interface.
ciscoasa(config)#access−list traffic_for_ips permit tcp host x.x.x.x any eq 22
ciscoasa(config)#class−map ips_class_map
ciscoasa(config−cmap)#match access−list traffic_for_ips
ciscoasa(config)#policy−map interface-policy
ciscoasa(config−pmap)#class ips_class_map
ciscoasa(config−pmap−c)#ips promiscuous fail−open
!−−− Two decisions need to be made.
!−−− First, does the AIP−SSM function
!−−− in inline or promiscuous mode?
!−−− Second, does the ASA fail−open or fail−closed?
ciscoasa(config)#service−policy interface_policy interface inside
02-12-2014 09:54 PM
you can take an idea for this also:
http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/clissm.html#wp1033926
02-21-2014 05:37 AM
Sending Traffic to the IPS Module
If your model supports the IPS module for intrusion prevention, then you can send traffic to the module for inspection. The IPS module monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When the system detects unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the device manager. Other legitimate connections continue to operate independently without interruption. For more information, see the documentation for your IPS module.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide