06-03-2014 10:19 AM - edited 03-11-2019 09:16 PM
I have an ASA 5515x and 200 users behind accessing the internet for all of their services (ie I have no inside servers) whats the essential ACL I need on Outside int to prevent scan and syn attacks which at present seem to fluctuate wildly?
Solved! Go to Solution.
06-04-2014 03:16 AM
If you don't have any servers that need to be accessed from the internet then there should be no ACL on the outside interface. Your outside interface should have a security level of 0 and the inside interface a number higher than 0. All traffic from a lower security level to a higher security level is denied by default.
If you are allowing traffic in for whatever reason then there is no ACL that will prevent Scan and syn attacks on the fly. For syn attacks you can limit the embryonic connections:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html
As for preventing a port scan, this is not possible. You can not prevent the scan itself, but you can prevent it finding open ports in your firewall by not allowing traffic into the outside interface. This is by either keeping the outside interface at a lower security level than the other interfaces, or if you want to you can add an ACL to the outside interface denying all traffic, but this is not needed as the ASA will drop all traffic from a lower security interface to a higher security interface by default. Also don't configure static NAT, this combined with the ACL will open a bidirectional opening in the firewall.
--
Please remember to select a correct answer and rate helpful posts
06-04-2014 03:16 AM
If you don't have any servers that need to be accessed from the internet then there should be no ACL on the outside interface. Your outside interface should have a security level of 0 and the inside interface a number higher than 0. All traffic from a lower security level to a higher security level is denied by default.
If you are allowing traffic in for whatever reason then there is no ACL that will prevent Scan and syn attacks on the fly. For syn attacks you can limit the embryonic connections:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html
As for preventing a port scan, this is not possible. You can not prevent the scan itself, but you can prevent it finding open ports in your firewall by not allowing traffic into the outside interface. This is by either keeping the outside interface at a lower security level than the other interfaces, or if you want to you can add an ACL to the outside interface denying all traffic, but this is not needed as the ASA will drop all traffic from a lower security interface to a higher security interface by default. Also don't configure static NAT, this combined with the ACL will open a bidirectional opening in the firewall.
--
Please remember to select a correct answer and rate helpful posts
06-04-2014 07:36 AM
Thanks Marius,
That was my understanding but the ASDM graphs of "Possible Scan & Syn attacks" had me paranoid so i applied an anti Bogon ACL to the outside interface but that didnt make any difference.
Thanks again for the clarification,
brgds
SteveP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide