05-28-2003 12:54 PM - edited 03-09-2019 03:27 AM
Hi,
I am trying to filter out a IP that keeps sending a UPD BOMB. I have created a ACL that should filter out the IP. In my syslog I still keep getting the message below. I am wondering if this will keep happening or have I not configured the ACL correctly?
I do understand that IDS and Firewall should work together and I am in the process of doing this. Could this possibly be the problem?
5044: May 28 13:13:28.805 MST: %IDS-4-UDP_BOMB_SIG: Sig:4050:UDP Bomb - from 12.158.33.18 to 65.*.*.*
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 12.158.33.18 0.0.0.1 any
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255
Thanks for the help
Tony D
05-28-2003 05:55 PM
This all depends on where you have these ACL's applied and in which direction. For this to work you'd have to have ACL 101 applied inbound on whatever interface is receiving this alert.
05-29-2003 08:19 AM
Thank you for the reply....
Here is that information. I believe it to be correct.
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
description connected to Internet
ip address 65.*.*.* 255.255.255.252
ip access-group 101 in
ip nat outside
ip audit zehren-audit in
no ip route-cache
no ip mroute-cache
half-duplex
crypto map clientmap
!
interface FastEthernet0
description connected to Our Office
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip policy route-map nonat2
speed auto
Thanks again
05-29-2003 04:37 PM
OK, that looks OK. Keep in mind though, that IDS processing is done BEFORE ACL processing (see http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdids.htm#1000896 unde the Functional Description section).
This is done so that admin's can see attacks even though the ACL will then prevent them. If the ACL denied them straight away then you'd never know if you were under attack. This is why you're seeing the IDS alert, but if you then do a "sho access-list 101" you should see hits on the deny line for that host.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide