If somebody is trying to pen test from outside to inside network. In Cisco ASA which feature i have to enable to stop that. After enabling this, what event is generated and what is the message id for it.
Please suggest on this.
Ideally the penetration test should fail as per the default behavior of the ASA itself.
Since outside interface is on the lowest security level, no packet should be allowed to go through unless it has been allowed in the ACL (also keeping NAT in mind).
Please check the ACL's that you have in inbound direction on the outside interface of the ASA.
In regards to the syslog's that you should be ideally seeing are :
Syslog message when there is no connection entry:
%ASA-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
Syslog message when the packet is denied by an ACL:
%ASA-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port by access_group acl_ID
Syslog message when there is no translation rule found:
%ASA-3-305005: No translation group found for protocol src interface_name: source_address/source_port dst interface_name:dest_address/dest_port
Syslog message when a packet is denied by Security Inspection:
%ASA-4-405104: H225 message received from outside_address/outside_port to inside_address/inside_port before SETUP
Syslog message when there is no route information:
%ASA-6-110003: Routing failed to locate next-hop for protocol from src interface:src IP/src port to dest interface:dest IP/dest port
Above mentioned are the most commonly seen syslog messages on a perimeter firewall when traffic is denied by the firewall.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: