Aug 21

How to suppress reset flag for dropped packets on Cisco ASA firewall

Cisco ASA by default inspects incoming packets and if it match one of standard audit signatures performs three actions “alarm”, “drop” and “reset”. This is definitely good thing as protects our network against potential attackers but cause one significant issue. Many companies require to pass PCI DSS compliance or other similar security checks. Typical security scan will point out that ASA responds to “dodgy” packets. Response is nothing else but “reset” message which tells hacker that there is a device which may become a target for proper attack. In order to fix this problem you will need to customize default ip audit action as per example below.

Firewall configuration

conf t
ip audit name DropSilent_Outside attack action alarm drop
ip audit interface outside DropSilent_Outside
wr mem

After configuration if applied on desired interface (outside in our example) you can check audit statistics.

show ip audit count

Follow me!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>