P2p on a asa/ips

I have the asa-ssm-20 in my asa. i have it running with policy maps for inline. I can do deny packet and deny connection etc for icmp/reply it works fine for my testing. but i can't get it to stop the connections. I know the manual says "Connection blocks are not supported on security appliances. Security appliances only support host blocks with additional connection information." Then why is it give you the option with inline. Also the deny attacker inline doesn't work with it either.
Thanks
Mike

Mike,
"Deny connection inline" should work with P2P traffic, in this case the "attacker" is the client on your network, a user, so be careful not to use "deny attacker inline" as it will also start blocking legit traffic. My recommendation is to test from a test PC and use the various inline blocking on simple "non atomic" stateful traffic to see if the blocking works. If it does, the P2P traffic could just be tunneling through http. Certain P2P/IM traffic uses various ports for various things such as "sign in", "chat", "video", etc, and have sub-sigs under the parent sig, be sure to select all the sigs for a particular parent sig.

Similar Messages

  • Block P2P software using ASA-AIP-SSM-20 module

    Hello,
    I have got a question about blocking P2P traffic on ASA AIP module. I have searched the forums and all I could find were solutions using regex, port block, MPF, but no AIP implementation example.
    Could anyone point me in the right direction please ?
    Many thanks,
          Martin

    Hello Paps,
    Many thanks for your reply. I was searching the web like crazy for some solutions using IPS and it never occured to me that I could just simply look for the signature files on Cisco website.
    Thank you very much again
    With regards,
               Martin

  • Websockets TCP RST through ASA+IPS and ACE

    Hello,
    We recently deployed a new websockets project within our existing web infrastructure. The websockets traffic (as all the rest of normal web traffic) is crossing an ASA + IPS module  where I do NAT and and then is forwarded to an ACE load balancer where two real server are configured in the server farm in active/standby mode (not load balancing) due the websockets nature. Everything seems to work fine but sometimes (once every 4 days or so) and based upon the server logs a TCP Reset gets the application server and bring down the whole application.
    It's clear that this application as a bug but I would like to avoid that TCP reset as a workaround while application team fix the ibug as the go-live is soon. Anybody faced this issue and can help me to find where that supposed TCP reset comes from? I didn't get IPS alerts.
    Server log:
    "Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.    at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)"
    Thanks,
    Miquel

    Hi Miquel,
    A packet capture on the server shall show the origin of TCP RST. If you are natting the source traffic then take front end pcaps at front end of firewall as well as at backend and similarly for ACE, to see what is the origin of TCP RST. Normally, it should be from client if it is received on the server. LB's just forward the traffic to the server but it depends and it could be loadbalancer resetting the connection. But we don't have any details to be sure. So packet captures would be our best friend here.
    Regards,
    Kanwal
    Note: Please mark answers if they are helpful.

  • Cisco ASA IPS vs Bruteforce

    Who can help me, I need device that will block bruteforce attack to our webmail servers, 5 wrong password input = block for 10 min, for example.
    Can I use for this Cisco ASA IPS?

    Depending on how your specific webmail server works, perhaps you could use/tune:
    SIG 6256.0 (HTTP Authorization Failure)
    -or-
    SIG 20020.0 (HTTP Authentication Brute Force Attempt)
    Or, create a custom signature based off of one of the above.

  • IPS Signature DataBase - ASA IPS/IOS IPS/IPS 42xx/AIP-SSM

    Hi,
    Can anyone briefly tell me the signature database details (No of Signature) among the following devices,
    -->ASA IPS/IOS IPS/IPS 42xx/AIP-SSM.
    Thanks,

    IPS on ASA/PIX = just 50 or so common signatures
    AIP-SSM module = same signatures as Cisco 4200 series sensors. Little minor differences exist (like IPv6 signature support etc.)
    Please rate if helpful.
    Regards
    Farrukh

  • Need help with LAN Architecture - ASA/IPS, and ISR placement

    Dear friends, I am new to Cisco community, had no previous experience with managed networks and desperately need an advice setting up a LAN for my small business. Here is what I did so far:
    ASA w IPS is facing internet, has a webserver connected to DMZ and then ISR on the inside interface. ISR is used for running CCME/CUE VOIP and VLAN NAT. Switch is connected to the ISR with a trunk interface. I setup multiple VLANs with ACL to separate engineering/management/sales/fileserver. Inter VLAN routing is enabled on the switch to allow Gigabit routing from the Fileserver VLAN to the Engineering VLAN.
    I know this is probably overkill for a 4 people company, but my objective is to be ready for possible attacks form both outside and inside and to ensure business continuity and minimal service interruptions.
    My question, would it be more practical to connect ASA directly to the switch and do VLAN NAT on the ASA instead of the router? This way if router fails, I loose VOIP but not Internet and if ASA fails, I only loose internet, while phones will stay operational. This approach should also let me use ASA IPS to monitor inter VLAN traffic, so if 1 of the user PCs gets infected, hopefully IPS will contain the damage to a single VLAN.
    What would experienced network architect do in my case? Any suggestions?
    Please, forgive me if I misunderstood something or did something silly, as this is my first network setup (not including household grade routers)
    Thank you very much in advance!

    Thank you for your response!
    I still keep debating if it has any advantages to use a Router in between ASA and the switch, or should I connect switch directly to
    ASA, so the only function of the router is to run VOIP?
    I saw multiple network diagrams which all had a border router, then ASA then switches. In my case router runs VOIP and I would want it to be behind ASA. Any benefits of running internet traffic through both ASA and a router?
    For redundancy, we can’t really afford 2nd ASA at this time, for now I would want to make sure there is as little chance as possible that both phones and internet go out simultaneously. 

  • Cisco ASA IPS SSM-10

    Hello,
    I just upgraded one of my Cisco ASA IPS SSM-10 from version 7.0 (6) E4 to version 7.0 (7) E4 and the Radius authentication stopped working. I use Microsoft 2008 Radius and I still have 10 more of these working with version 7.0 (6) E4.
    I used to have the same Radius authentication issue with version 6 until we upgraded to ver 7.0 (6) E4 and this latest version screwed up again.
    Does anyone know if there is a Radius authentication bug in this latest version 7.0 (7) E4?
    Thank you
    Si

    There is a known issue CSCty46104. However a show-tech log can give more details as to why there was a failure in your case.
    Regards
    Sawan Gupta

  • CSM / ASA IPS -- upstream signature package includes hundreds of retired signatures

    CSM / ASA IPS -- upstream signature package includes hundreds of retired signatures
    When I push new signatures that CSM downloads and applies for me, I get hundreds of retired signatures.  I have tried to wipe signature policy and create fresh and anew - it seems as if CSM isn't marking 'new' signatures for application to existing signature configuration files.  The deltas betwen previous versions do not get applied.
    Is this a common occurance for other people running CSM?

    Hi JP,
    The signatures need to be enabled and unretired for them to function.
    The following FAQ described this process in detail:
    http://www.cisco.com/web/about/security/intelligence/ips_sig_faq.html#2
    Hope this is helpful.
    Regards
    Neil Archibald
    IPS Signature Development Team

  • P2P blocking on ASA 5525 with Software Version 8.6(1)2

    Hello,
    We have Cisco ASA 5525 with Software Version 8.6(1)2. We have permitted all the traffic from inside to outside.
    Now we want to block P2P sharing Bit torrent to internet sites. Please help me with the configuration.
    We have DMZ setup & also inline IPS module.
    Thanks in advance.
    Regards,
    Sandeshc Chavan.

    Hi Chavan , 
    You can try to block this by port. 
    The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port). 
    The config is
    Access-list BLOCK-P2P-TRAFFIC deny tcp any any range  6881 6889 log 
    And applies to the desire interface with the "Access-group command"
    For example:
    Access-group  BLOCK-P2P-TRAFFIC outbound interface DMZ
    However Blocking Bittorrent is challenging, and can't really be done effectively with port blocks. The standard ports are 6881-6889 TCP, but the protocol can be run on any port, and the peer-to-peer nature of the protocol means that discovering peers that use unblocked ports is simple.
    Also you can execute  from the cmd on windows  the command  netstat -a and check the port Bit torrent is using .
    Hope this helps.

  • Cisco ASA IPS Monitor

    Hello
    I have configured IPS system in my ASA 5520 but I am unable find out my IPS is actually working or not. The only one thing i can see CPU utilization in IDM. Can you please assist me how I can view the IPS module activity? I have installed IDM & ASDM in my PC.
    thanks.
    Regards
    Mannan

    Please check the Inspection Load via IDM or IPS CLI (show stats virtual-sensor).
    Using the "show stats virtual-sensor", it also shows, how many packets are being processed, which signatures are firing, etc.
    Regards,
    Sawan Gupta

  • ASA IPS/ASA-SSM-10 Password Lost

    Hi.
    I just started administering a ASA with IPS module, but password is lost. I have tried default but cannot.
    If I try to tftp using management it even is on but Switch does not see it up and cannot administer from there.
    How can I recover password from IPS module?

    Ernesto
    I found this in the configuration manual for the IPS:
    The following password recovery options exist:
    ?If another Administrator account exists, the other Administrator can change the password.
    ?If a Service account exists, you can log in to the service account and switch to user root using the command su - root. Use the password command to change the CLI Administrator account's password. For example, if the Administrator username is "adminu," the command is password adminu. You are prompted to enter the new password twice. For more information, see Creating the Service Account.
    You can reimage the sensor using either the recovery partition or a system image file.
    If you want to see more detail here is the URL:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055dfcd.html
    HTH
    Rick

  • ASA IPS, auto update issue

    Hi,
    I am having an issue with auto update on the IPS module installed the ASA.
    Auto Update Statistics
    lastDirectoryReadAttempt = 06:00:34 UTC Wed Feb 23 2009
    = Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/loca
    tor.pl
    = Error: AutoUpdate exception: Receive HTTP response failed [3,212]
    lastDownloadAttempt = N/A
    lastInstallAttempt = N/A
    nextAttempt = 06:00:00 UTC Thu Feb 24 2009
    I can see from the above that there is a HTTP response error, I have checked and there does not seem to be any other unit stopping the responses. With regards to the ASA config do I need to allow the IPS module though the ACL's or NAT statements?
    Many thanks MJ

    Hi
    Many thanks for the respose.
    Sorry I have not made any progress with this as yet: the only thing I have done is us the packet tracer, which passed I am just going to check the route of the packet once it has left the interface as it has got to be that or the URL is wrong.
    Regards MJ

  • ASA IPS Transparent Design Solution Needed

    I have a query on IPS deployment. I have a customer with the following setup.
    One Internel Cisco L3 switch connects to ---> Two 5520 ASA firwalls in HA mode active/standby connects to another privae network.
    Now I am asked to put a ASA 5525-X series IPS between the L3 switch & ---> Two ASA firwalls.
    What are the implementation options available with out touching any config on L3 switch or two 5520 ASA firwalls
    Can I set this up in a transparent mode?

    You orginaly stated that you wanted to place an ASA5525-X between the external L3 switch and a HA pair of existing ASA5520 firewalls. That would place the ASA5525-X on the exterior of your HA firewalls.
    The "best option" depends on cost and product support.
    Replacing your ASA5520 firewalls with 5525-X firewalls seems like an expensive way to get IPS functionality
    You could find some AIP-SSM modules. End of sale was March 2013, so you'll have to buy some used. Put them into your existing 5520s. You can still get almost 5 years of licensing and support form Cisco on them: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/eol_C51-727284.html
    Even an ASA with an IPS feature (either in software or hardware) in promiscuous mode will still interrupt traffic if you are passing traffic thru it upon some failures. They way around that would be to use a Tap or doing a spanning port on your L3 switch.
    Alternately you could place an inline IPS in the stream of traffic with an external FailOpen switch to divert traffic around an IPS sensor that is down.
    - Bob

  • Performance Question ASA/IPS

    I have a ASA 5550, so the max connections p/s is 33K, packets p/s is 600K.  I'm looking to add an IPS at my boundary but don't want too much degradation in application performance.    Looking at the datasheet for  the IPS 4510 and 4360 the max connections and connections per second should provide that minimal degredation requirement.  What worries me is the packets per second (600K) that the ASA can process.
    How many pps can the IPS process?  I don't see that anywhere in the datasheets for the IPS

    Hi,
    Maybe this information can help you a little bit but I didn't find any doc that states how many pps can the IPS handle.
    Performance of Cisco IPS 4500 and 4300 Series Sensors
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps12156/white_paper_c11-716084.html
    I suggest you to involve your Account Manager or Cisco Reseller so they can suggest you the best platform for your network.
    HTH
    Luis Silva
    "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
    http://www.cisco.com/web/partners/tools/pdihd.html

  • IPS Appliances/ASA IPS and AAA

    Aloha -
    Does anyone know if they support AAA for administrative authentication? If not, maybe in the future? Thanks!!!

    The IPS sensor software does not support any AAA features. Usernames and passwords must be defined on each box. This has been a security weakness of the platform for years and as far as we've heard is not on Cisco's roadmap.
    My IPS boxes fail every security audit and the firewall guys make fun of me.

Maybe you are looking for