Thursday, January 19, 2017

Cisco ASA: How To Immediately Block An External IP From Coming Through Your Firewall

Have you ever had an intruder coming through your firewall, and you needed to block that IP address immediately?  I recently saw this very thing coming through a Cisco ASA.  Even though we didn't see this in our logs (still working on why this didn't happen), it was reported to us from our server team.  And because we didn't see it coming through our log, we decided to do a packet capture on the ASA to verify that it was actually coming through.  Well, the capture proved that it was.  So, our immediate solution was to add this public IP address to our block list.  However, because he was already coming through to a particular NAT translation (an internal server accessed from the outside), adding this in to the ACL did not work.  Now this, to me, is unacceptable in a firewall!  So as I'm writing this post, I think Ill do a post coming up on how the ASA works regarding this concept.  I'm not sure its widely published.
Back to this post though.  So I put the public IP address to be blocked and that did not stop them.  So, what to do?
There is a command called "shun" on the ASA.  Its intended to block the IP from coming through.  So, after the packet capture, I verified with another command:
ASA# sho conn add 159.203.83.32
TCP outside  159.203.83.32:37044 inside  10.10.10.10:443, idle 0:00:00, bytes 903237461, flags UIOXB

You can see above, the connection is active.  So lets shun it:
ASA# shun 159.203.83.32
Shun 159.203.83.32 added in context: single_vf
Shun 159.203.83.32 successful

Now to verify that its actually stopped.  We did a show capture, to verify that the packet count was not increasing, as it was before:
ASA# sh capture
capture capin type raw-data access-list 189 interface outside [Buffer Full - 524058 bytes]
ASA# sh capture
capture capin type raw-data access-list 189 interface outside [Buffer Full - 524058 bytes]
ASA# sh capture
capture capin type raw-data access-list 189 interface outside [Buffer Full - 524058 bytes]

Done, shunned for now.
Posted by

1 comment:

  1. PeteJanuary 24, 2017 at 5:49 AM

    Hi, you might want to put a 'show run access-list 189' and its result in your article, so you readers better understand why that byte count is not increasing :) Good site BTW - Pete

    ReplyDelete

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)