An Intrusion Detection system as we know can either work in Inline Mode (IPS) or in promiscuous mode (IDS). In inline mode, the IPS sensor can detect and block attacks by itself since all traffic passes through the sensor. However, in promiscuous mode, the IDS sensor can not block attacks by itself, but has to instruct the firewall to block the attack. This is depicted in the diagram below.

The IDS sensor in our example is connected in “parallel” (not inline) with the ASA firewall. The “Sensing Interface” of the IDS appliance is connected on the outside (Internet) network zone and is continuously monitoring traffic to detect attacks. The “Control Interface” of the IDS appliance is connected on the inside network zone and is used to communicate with the ASA firewall. If an attack is detected (e.g Attacker at address 100.100.100.1 is sending malicious traffic to Victim address 200.200.200.1), the IDS sensor instructs the ASA firewall (using the “Control Interface”) to block the attacking connection. This is done by the IDS sensor by asking the firewall to use the “shun” command to block the connection.

What is a “shun” command:

The shun command on the ASA Firewall appliance is used to block connections from an attacking host. Packets matching the values in the command are dropped and logged until the blocking function is removed manually or by the Cisco IDS sensor.

The format of the command is as following:

ASA# shun [source IP] [destination IP] 

In our example scenario above, the IDS sensor will instruct the firewall to apply the following shun command:

shun 100.100.100.1 200.200.200.1

The above will block all communication from the attacker to the victim. Cisco IPS/IDS sensors have a timer with which you define how long the command will be active. After that time, the command is removed.

Question:

Hello,

I want to enable access to server on ip address: 192.168.100.30 on port 22 located in inside interface from internet (outside)

We have ASA 5520 Cisco Adaptive Security Appliance Software Version 8.0(2)

My config (only relevant lines):

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 172.146.147.1 255.255.255.248 standby 172.146.147.2
!
interface GigabitEthernet0/3
nameif Inside
security-level 100
ip address 192.168.200.3 255.255.255.0 standby 192.168.200.2
.
.
access-list Inside_access_in extended permit ip 192.168.100.30 any
access-list Inside_access_in extended deny ip any any
.
.
access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh
access-list Outside_access_in extended deny ip any any
.
.
global (Outside) 1 172.146.147.11 netmask 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 10.1.33.0 255.255.255.0
nat (Inside) 1 10.1.34.0 255.255.255.0
nat (Inside) 1 10.1.35.0 255.255.255.0
nat (Inside) 1 10.1.36.0 255.255.255.0
nat (Inside) 1 10.1.39.0 255.255.255.0
nat (Inside) 1 10.1.41.0 255.255.255.0
nat (Inside) 1 10.1.42.0 255.255.255.0
nat (Inside) 1 10.1.44.0 255.255.255.0
nat (Inside) 1 10.1.99.0 255.255.255.0
nat (Inside) 1 10.40.2.0 255.255.255.0
nat (Inside) 1 10.40.24.0 255.255.255.0
nat (Inside) 1 192.168.100.0 255.255.255.0
nat (Inside) 1 192.168.250.0 255.255.255.0
nat (Inside) 1 192.168.96.0 255.255.248.0
static (Inside,Outside) tcp 172.146.147.15 ssh 192.168.100.30 ssh netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 172.146.147.14 1
route Inside 10.0.0.0 255.0.0.0 192.168.200.1 1
route Outside 172.16.101.72 255.255.255.252 195.146.147.14 1
route Inside 192.168.0.0 255.255.0.0 192.168.200.1 1
.
.

When i type telnet 172.146.147.15 22 from public internet i cant open port 22….so i dont know – is something missing or wrong?

Thanks.

Solution:

below is your outside interface config

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12

you are using 255.255.255.248 as the subnet which makes 172.146.147.15 as your broadcast address. That being said, you won’t be able to access it. You need to use a different address in that range. the available addresses are 172.146.147.9 to 172.146.147.14.

regards,

With the older Cisco PIX firewall appliances, there was no way for traffic to enter a specific interface and then exit back from the same interface again. With the new Cisco ASA models, this is also not supported by default, but you can enable this functionality with the same-security-traffic permit intra-interface command.

The schematic above shows a possible scenario where this functionality can be used. All internal hosts in network 10.0.0.0/24 have the ASA as default gateway (10.0.0.254) in order to access the Internet. However, there is another internal network range (Branch Office: 192.168.10.0/24) which is accessible via a cisco router at 10.0.0.253. In order for the internal hosts to access this subnet, a static route must be configured on the ASA together with the “permit intra-interface” command, as shown below:

ciscoasa(config)# route inside 192.168.10.0 255.255.255.0 10.0.0.253 1
ciscoasa(config)# same-security-traffic permit intra-interface

All traffic from internal hosts destined to subnet 192.168.10.0 will be redirected by the ASA firewall through the Cisco router. The feature above is supported in versions 7.2(1) and later.