10-08-2019 03:29 AM
I'm getting visited everyday I'm pretty sure it's someone spoofing a network. They come in from the same network with a different final octect. Here are the logs from several days.
Oct 07 2019 21:56:12: %ASA-3-713048: IP = 216.218.206.110, Error processing payload: Payload ID: 1
Oct 07 2019 21:56:12: %ASA-6-713905: IP = 216.218.206.110, Warning: Ignoring IKE SA (src) without VM bit set
Oct 06 2019 20:22:27: %ASA-3-713048: IP = 216.218.206.114, Error processing payload: Payload ID: 1
Oct 06 2019 20:22:27: %ASA-6-713905: IP = 216.218.206.114, Warning: Ignoring IKE SA (src) without VM bit set
Oct 05 2019 20:54:54: %ASA-3-713048: IP = 216.218.206.86, Error processing payload: Payload ID: 1
Oct 05 2019 20:54:54: %ASA-6-713905: IP = 216.218.206.86, Warning: Ignoring IKE SA (src) without VM bit set
Oct 04 2019 20:50:01: %ASA-3-713048: IP = 216.218.206.74, Error processing payload: Payload ID: 1
Oct 04 2019 20:50:01: %ASA-6-713905: IP = 216.218.206.74, Warning: Ignoring IKE SA (src) without VM bit set
Oct 03 2019 22:35:38: %ASA-3-713048: IP = 216.218.206.66, Error processing payload: Payload ID: 1
Oct 03 2019 22:35:38: %ASA-6-713905: IP = 216.218.206.66, Warning: Ignoring IKE SA (src) without VM bit set
I'd like to just block that entire 216.218.206.* network from even accessing the ASA to where I get any message.
I tried to add the following but am not sure if it is blocking the entire network as the logs are still coming in.
object network 216.218.206.0
subnet 216.218.206.0 255.255.255.0
description Blocked
object-group network BLACKLIST
description Blocked IPs from Outside to Inside
network-object object 216.218.206.0
access-list outside_access_in extended deny ip object-group BLACKLIST any
When I've used this to block a single IP it seems to work fine and I haven't heard anything from the blocked IPs. Is there anything else I'm missing in the config to block that entire network?
10-08-2019 03:37 AM
Hi there,
The ACL you have created when applied INbound on the outside interface will block all traffic from 216.218.206.0 /24 . There isn't anything else to add.
Make sure you also permit all other traffic:
access-list outside_access_in extended deny ip object-group BLACKLIST any access-list outside_access_in extended permit ip any any
cheers,
Seb.
10-08-2019 04:20 AM
Thanks for the quick reply. I'm glad to know I did the block correctly.
I have allowed all other traffic except for other IPs that we've blocked.
My second part of the question and it may be bad practice.
Since I have that networked blocked is there a way I can disable the logs just for that network since they're still trying to access the ASA but can't since they're blocked?
If I don't need to worry about it, I'd like to not have to see it anymore. Or is better to leave it coming in so I know they're still out there.
Thanks again.
10-08-2019 06:08 AM
Hi,
As you resolve your issue with Permit IP any any statement at the end of ACL. Because ACL is having a hidden rule at the end of ACL as Deny IP any any so your complete traffic was blocked.
As your second question, I suppose that you need other logs as regular and only want to disable specific for this ACL then there is no direct command which can help you to skips logging for particular ACL but I have some other solution for you as
access-list alert-interval <Secs_Timing>
The secs argument specifies the time interval between each deny flow maximum message. Valid values are from 1 to 3600 seconds.
10-08-2019 06:27 AM
Oh wow I wasn't aware of the hidden any. Everything seems fine as the people need to can still hit the system.
I suppose I don't need to worry about it being logged. They're only trying to hit it once a day. I figure somebody has a bot spoofing that network and going around trying to hit a bunch of IPs in hopes of finding one they can get into. I was just thinking of a cleaner log. But it's really probably better if I keep it logging since they're still trying.
Thanks again.
Richard
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide