Hello,
I have a Cisco ASA in my network. It works as my Firewall, VPN Server.
I cannot retire the ASA, because it ties to my IPS system.
Since many port scanners attacks to my network, a friend of mine recommend me to use a Mikrotik.
I am wondering if I can place Microtik between the router of my ISP and the ASA to just block all the port scanners. However, I do not know what will happen to my legitimate traffic such as VPN, RDP, and all other services.
Is it a practical solution?
Can I route all legitimate traffic from Mikrotik to the ASA and vice versa?
Yes, you could add MikroTik device to block port scanners. What will happen to legitimate traffic depends on your routes and how you setup your firewall on MikroTik.
You could use “psd” attribute under “/ip firewall filter”, to identify port scanners, in “input” chain and likely “forward” chain as well. You can read bit more about it here, and here’s also an example: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter https://wiki.mikrotik.com/wiki/Drop_port_scanners
Hello RiFF,
Thank you very much for your reply.
I already activated “Enable basic threat detection” and “Enabled scanning threat detection” on my ASA.
However, just an example early last December, I noticed a threat from an IP address. the hacker was checking each port on all of my public IP addresses one by one. Although I block the IP in my firewall, He/she checked all ports on all IPs from 21 to 56,000s.
Or during last Christmas, someone attacked me 1,830,000s times.
My friend told me, Mikrotik has a feature to block this kind of attack for 24 hours automatically, and if the attack happens again after the 24 hours, Mikrotik blocks it for more 24 hours and…
Cisco ISE has the blocking feature, but I do not have it.
There is another feather in ASA to shun this kind of traffic, but Cisco told me it consumes a lot of resources and my ASA may crash of I keep it on. Cisco told me it is NOT recommended to turn it on.
Hello Guntis,
Thank you very much for your reply.
Let me re-phrase my question.
I have 30 public IP addresses for different services I have in my network. let’s suppose the range is: 1.1.1.2 ~ 1.1.1.32
Suppose that, the IP address of outside on my ASA is 1.1.1.2
Note: 1.1.1.2 is the VPN server as well.
I connect incoming internet from my ISP to outside of Mikrotik and assign 1.1.1.32 to it.
Then connect outside of my ASA to the inside of my Mikrotik.
I want Miktotik to receive all traffic to 1.1.1.2 ~ 1.1.1.31, check them, drop port scanners, and pass the rest of the traffic to my ASA. And vice versa.