Following can potentially cause high CPU utilization on ASAs:
** SSH open access from outside:
ssh 0.0.0.0 0.0.0.0 outside ==>> /* You should be punished if you did this on your ASA :). An SSH attack from outside can put CPU cycle on high utilization. */
** Sending snmp-trap logs to a syslog server that doesn't exist, or not accepting syslogs.
snmp-server enable traps syslog
** Forgetting to turn off Debugs.
** Forgetting to turn off Captures.
** RPF checks that point to ...mmmm...... Nothing. Invalid Route entries would be an example. Or if your ASA is pointing to the ISP router for it's default route, then RPF on the outside probably not going to be very useful:
ip verify reverse-path interface outside
** Unnecessary Inspection rules. If Netbios and tftp inspection not needed on the Global policy-map, turn them off.
policy-map global_policy
class inspection_default
no inspect netbios
no inspect tftp
** Really complex inside-out ACLs. Try grouping objects.
Monday, June 14, 2010
Wednesday, June 2, 2010
How to open up ports in a Cisco ASA Firewall
with the static command and an access-list
for example if you outside interface was 92.148.146.99 and your server was 192.168.1.5
static (Inside,Outside) tcp interface 3000 192.168.1.5 3000 netmask 255.255.255.255
access-list Outside_In extended permit tcp any host 92.148.146.99 eq 3000
static (Inside,Outside) tcp interface 1000 192.168.1.5 1000 netmask 255.255.255.255
access-list Outside_In extended permit tcp any host 92.148.146.99 eq 1000
for example if you outside interface was 92.148.146.99 and your server was 192.168.1.5
static (Inside,Outside) tcp interface 3000 192.168.1.5 3000 netmask 255.255.255.255
access-list Outside_In extended permit tcp any host 92.148.146.99 eq 3000
static (Inside,Outside) tcp interface 1000 192.168.1.5 1000 netmask 255.255.255.255
access-list Outside_In extended permit tcp any host 92.148.146.99 eq 1000
Subscribe to:
Posts (Atom)