Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1031
Views
10
Helpful
4
Replies

Trying to block network from accessing my ASA 5512

richardjones4
Level 1
Level 1

‎10-08-2019 03:29 AM

I'm getting visited everyday I'm pretty sure it's someone spoofing a network. They come in from the same network with a different final octect. Here are the logs from several days.

 

Oct 07 2019 21:56:12: %ASA-3-713048: IP = 216.218.206.110, Error processing payload: Payload ID: 1
Oct 07 2019 21:56:12: %ASA-6-713905: IP = 216.218.206.110, Warning: Ignoring IKE SA (src) without VM bit set

 

Oct 06 2019 20:22:27: %ASA-3-713048: IP = 216.218.206.114, Error processing payload: Payload ID: 1
Oct 06 2019 20:22:27: %ASA-6-713905: IP = 216.218.206.114, Warning: Ignoring IKE SA (src) without VM bit set

 

Oct 05 2019 20:54:54: %ASA-3-713048: IP = 216.218.206.86, Error processing payload: Payload ID: 1
Oct 05 2019 20:54:54: %ASA-6-713905: IP = 216.218.206.86, Warning: Ignoring IKE SA (src) without VM bit set

 

Oct 04 2019 20:50:01: %ASA-3-713048: IP = 216.218.206.74, Error processing payload: Payload ID: 1
Oct 04 2019 20:50:01: %ASA-6-713905: IP = 216.218.206.74, Warning: Ignoring IKE SA (src) without VM bit set

 

Oct 03 2019 22:35:38: %ASA-3-713048: IP = 216.218.206.66, Error processing payload: Payload ID: 1
Oct 03 2019 22:35:38: %ASA-6-713905: IP = 216.218.206.66, Warning: Ignoring IKE SA (src) without VM bit set

 

I'd like to just block that entire 216.218.206.* network from even accessing the ASA to where I get any message. 

 

I tried to add the following but am not sure if it is blocking the entire network as the logs are still coming in.

 

object network 216.218.206.0
subnet 216.218.206.0 255.255.255.0
description Blocked

 

object-group network BLACKLIST
description Blocked IPs from Outside to Inside
network-object object 216.218.206.0

 

access-list outside_access_in extended deny ip object-group BLACKLIST any

 

When I've used this to block a single IP it seems to work fine and I haven't heard anything from the blocked IPs. Is there anything else I'm missing in the config to block that entire network? 

 

Labels:
0 Helpful
4 Replies 4

Seb Rupik
VIP Alumni
VIP Alumni

‎10-08-2019 03:37 AM

Hi there,

The ACL you have created when applied INbound on the outside interface will block all traffic from 216.218.206.0 /24 . There isn't anything else to add.

Make sure you also permit all other traffic:

access-list outside_access_in extended deny ip object-group BLACKLIST any
access-list outside_access_in extended permit ip any any

 

cheers,

Seb.

richardjones4
Level 1
Level 1
In response to Seb Rupik

‎10-08-2019 04:20 AM

Thanks for the quick reply. I'm glad to know I did the block correctly.

I have allowed all other traffic except for other IPs that we've blocked.

 

My second part of the question and it may be bad practice.

 

Since I have that networked blocked is there a way I can disable the logs just for that network since they're still trying to access the ASA but can't since they're blocked?

If I don't need to worry about it, I'd like to not have to see it anymore. Or is better to leave it coming in so I know they're still out there.

 

Thanks again.

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to richardjones4

‎10-08-2019 06:08 AM

Hi,

As you resolve your issue with Permit IP any any statement at the end of ACL. Because ACL is having a hidden rule at the end of ACL as Deny IP any any so your complete traffic was blocked.

 

As your second question, I suppose that you need other logs as regular and only want to disable specific for this ACL then there is no direct command which can help you to skips logging for particular ACL but I have some other solution for you as 

access-list alert-interval <Secs_Timing> 

The secs argument specifies the time interval between each deny flow maximum message. Valid values are from 1 to 3600 seconds.

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

richardjones4
Level 1
Level 1
In response to Deepak Kumar

‎10-08-2019 06:27 AM

Oh wow I wasn't aware of the hidden any. Everything seems fine as the people need to can still hit the system.

 

I suppose I don't need to worry about it being logged. They're only trying to hit it once a day. I figure somebody has a bot spoofing that network and going around trying to hit a bunch of IPs in hopes of finding one they can get into. I was just thinking of a cleaner log. But it's really probably better if I keep it logging since they're still trying.

 

Thanks again.

Richard

0 Helpful
Customers Also Viewed These Support Documents