Community discussions

MikroTik App
 
WMI
just joined
Topic Author
Posts: 3
Joined: Sun Dec 29, 2019 6:33 am

Place Mikrotik before ASA

Sun Dec 29, 2019 6:45 am

Hello,
I have a Cisco ASA in my network. It works as my Firewall, VPN Server.
I cannot retire the ASA, because it ties to my IPS system.

Since many port scanners attacks to my network, a friend of mine recommend me to use a Mikrotik.
I am wondering if I can place Microtik between the router of my ISP and the ASA to just block all the port scanners. However, I do not know what will happen to my legitimate traffic such as VPN, RDP, and all other services.
Is it a practical solution?
Can I route all legitimate traffic from Mikrotik to the ASA and vice versa?
 
Guntis
MikroTik Support
MikroTik Support
Posts: 54
Joined: Fri Jul 20, 2018 1:40 pm

Re: Place Mikrotik before ASA

Mon Dec 30, 2019 10:57 am

Yes, you could add MikroTik device to block port scanners. What will happen to legitimate traffic depends on your routes and how you setup your firewall on MikroTik.
You could use "psd" attribute under "/ip firewall filter", to identify port scanners, in "input" chain and likely "forward" chain as well. You can read bit more about it here, and here's also an example:
https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter
https://wiki.mikrotik.com/wiki/Drop_port_scanners
 
RiFF
just joined
Posts: 11
Joined: Sun Apr 29, 2018 9:35 pm

Re: Place Mikrotik before ASA

Mon Dec 30, 2019 10:01 pm

If i good understand, you have enabled Thread Detection on ASA (https://www.cisco.com/c/en/us/td/docs/s ... hreat.html) and this feature is not enough for you ?
 
WMI
just joined
Topic Author
Posts: 3
Joined: Sun Dec 29, 2019 6:33 am

Re: Place Mikrotik before ASA

Wed Jan 01, 2020 11:29 pm

Hello RiFF,
Thank you very much for your reply.
I already activated "Enable basic threat detection" and "Enabled scanning threat detection" on my ASA.
However, just an example early last December, I noticed a threat from an IP address. the hacker was checking each port on all of my public IP addresses one by one. Although I block the IP in my firewall, He/she checked all ports on all IPs from 21 to 56,000s.
Or during last Christmas, someone attacked me 1,830,000s times.
My friend told me, Mikrotik has a feature to block this kind of attack for 24 hours automatically, and if the attack happens again after the 24 hours, Mikrotik blocks it for more 24 hours and...
Cisco ISE has the blocking feature, but I do not have it.

There is another feather in ASA to shun this kind of traffic, but Cisco told me it consumes a lot of resources and my ASA may crash of I keep it on. Cisco told me it is NOT recommended to turn it on.
Last edited by WMI on Wed Jan 01, 2020 11:45 pm, edited 1 time in total.
 
WMI
just joined
Topic Author
Posts: 3
Joined: Sun Dec 29, 2019 6:33 am

Re: Place Mikrotik before ASA

Wed Jan 01, 2020 11:43 pm

Hello Guntis,
Thank you very much for your reply.
Let me re-phrase my question.
I have 30 public IP addresses for different services I have in my network. let's suppose the range is: 1.1.1.2 ~ 1.1.1.32

Suppose that, the IP address of outside on my ASA is 1.1.1.2
Note: 1.1.1.2 is the VPN server as well.
I connect incoming internet from my ISP to outside of Mikrotik and assign 1.1.1.32 to it.
Then connect outside of my ASA to the inside of my Mikrotik.

I want Miktotik to receive all traffic to 1.1.1.2 ~ 1.1.1.31, check them, drop port scanners, and pass the rest of the traffic to my ASA. And vice versa.

Is it possible?

Who is online

Users browsing this forum: No registered users and 71 guests