UDP and ICMP help!
itdaddy
Member Posts: 2,089 ■■■■□□□□□□
Hey guys
these are the two config statements I have just issued on my ASA5505.
crap I had hundreds of outside UDP traffic to my local PC..I was like holy crap.
So I created the UDP deny all statement. ANy of you guys encounter 100s or UDP hits
I mean the syslog would say built from inside many public ips to my local server ip. I fast
shut that off. I do not need 100s of connections from outside in to my local server. any of
you guys encounter 100s of foreign UDP connections???? with your firewalls. or should I have
set this deny UDP line up along time ago as standard lockdown practice..thank God I watch my syslog...
access-list outside_in extended deny udp any any log
access-list outside_in extended deny icmp any any echo-reply log
question1:
will my denying UDP any any hurt anything? I guess I will know huh?
question2:
how in the heck does one stop public ICMP echo pings from hitting my public IP on my ASA 5505? How do you stop pings from hitting my ASA and someone knowing I am there?
I issued the above ACL and still you can ping my public IP as if no statement were made
what did I do wrong or what is the trick on this ASA 5505. The more I config this beast the more I realize there are many lock down tricksss
Help anyone?
thanks
these are the two config statements I have just issued on my ASA5505.
crap I had hundreds of outside UDP traffic to my local PC..I was like holy crap.
So I created the UDP deny all statement. ANy of you guys encounter 100s or UDP hits
I mean the syslog would say built from inside many public ips to my local server ip. I fast
shut that off. I do not need 100s of connections from outside in to my local server. any of
you guys encounter 100s of foreign UDP connections???? with your firewalls. or should I have
set this deny UDP line up along time ago as standard lockdown practice..thank God I watch my syslog...
access-list outside_in extended deny udp any any log
access-list outside_in extended deny icmp any any echo-reply log
question1:
will my denying UDP any any hurt anything? I guess I will know huh?
question2:
how in the heck does one stop public ICMP echo pings from hitting my public IP on my ASA 5505? How do you stop pings from hitting my ASA and someone knowing I am there?
I issued the above ACL and still you can ping my public IP as if no statement were made
what did I do wrong or what is the trick on this ASA 5505. The more I config this beast the more I realize there are many lock down tricksss
Help anyone?
thanks
Comments
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□You need to drop ICMP (IP Protocol 1) at the firewall, or at least ICMP echo requests in order to stop ping.
Those UDP requests, are they originating from outside your firewall, or are they simply replies to something your server is initiating? Are they DNS replies, for example?
Blocking inbound DNS will stop DNS replies, unless you have an allow statement ahead of your deny or you are using reflexive ACL's. Same with NTP. Those are just a couple off the top of my head. I would do some more digging and find out a little more about the UDP traffic. Good luck.All things are possible, only believe. -
itdaddy Member Posts: 2,089 ■■■■□□□□□□sprkymrk
thanks i thought i had the icmp statement correct but it is not working so i am sure i have something wrong but it looks right? what i have everything else i config worked
yeah yuo are right i do have some DNS replies to my 208.67.222.222 open dns source which is fine..
the udps I am worried about are the ones that say somethingdomain.ne somethingdomain.den. I did nslookups on each ip and found they are from Europe and i have nothing running that would cause udp traffic from europes so it freaking me out so i set the inbound udp traffic to stop altogether. and of course the outbound from my DNS server is fine becausemy DNS server inside is a forwarder and needs to go outside to 208.67.222.222 dns site that i use...yeah thank God for syslogs, i like to watch these like a hawk and see what is coming thru..i log everything and the ASDM is nice to look at wish i could upgrade my ASDM but with my 7.2(4) ios well i cant..and i cannot find a higher ios for my asa unless i pay big bucks;(
thanks for the reply will do.
robert -
itdaddy Member Posts: 2,089 ■■■■□□□□□□oh yeah and all the udp traffic from trying to come in has stopped no more european ips coming thru trying to connect. but to me it looked like the were initiated from inside
i may have some risky software and need to look into that....looks like a reverse udp request if that is possible?
but all bad traffic has stpped with my new acl DENY udp in statement and i keep watching
My asa 5505 has been fun alittle weird and different than a router NAT firewall but challenging and fun .and is working and seems to be locked down. ;)next step vpn/ssl
for my mobile pc and ipv6 tunnel relay setup so i can access ipv6 works that is going to be the coolest to setup hee hee -
Met44 Member Posts: 194
access-list outside_in extended deny icmp any any echo-reply log
If this is applied inbound on your outside interface, then you would be blocking echo replies coming in to your LAN. So, if you pinged from your LAN to an external IP address, the incoming echo reply from the remote server would be blocked at your firewall.
To stop external entities from being able to ping you, you would instead want to block incoming echo request traffic on the outside interface.