Unanswered Question
Dec 26th, 2008
User Badges:


We have installed ASA 5505 in Datacenter and configured two zones DMZ and Inside. The App Servers are placed in DMZ and DB Servers are placed in Inside Zone. One unmanagable switch is connected with DMZ interface of FW and the second one with Inside Interface. We are experiencing so much issue in Datacenter Network and getting so much delayed response while do work on Servers and facing very strange behaviour. I used sh interface dmz stats command into FW and the report is attached for your refernce. As I am assuming number of dropping packets are huge but need your feedback also in this regard. Please help and put your feedbacks. Thanks!!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ray_stone Sat, 12/27/2008 - 00:37
User Badges:

Hi, May I know first what is ASL and I have checked NAT commands which are configured properly. I am looking very intersting thing, the shun command is enabled for three Servers in which two are from DMZ and one from Inside and all Traffic are being blocked in Syslogs output. When I run no shun command for all three Server then Server being accessible but after some time again I see that shun command is enabled for all three Servers. Please do the needful on priority basis.

The Configuration file is attached for your reference.


ray_stone Sat, 12/27/2008 - 03:46
User Badges:

Yes, I have removed but and same time I am able to access all Servers. But after some time I see in Syslogs that again Shun command has been estlablished and all traffic are being blocked. Pl suggest.

godinerik Mon, 01/05/2009 - 01:06
User Badges:


I'm still fairly new to ASAs so this might not be the only case, however, one case where a SHUN is automatically applied is for port-scanning attacks:

fw-ASA5505(config)# threat-detection scanning-threat ?

configure mode commands/options:

shun Keyword to enable shunning over hosts conducting scanning

This information that I'm posting is related to an ASA5505, however I'm sure other ASAs have the same type of functionality (and better).

As far as I can see, any other SHUN entries (base license, no extra modules) would have to be added manually. There is also basic IPS for info/attack signatures (some of which, I was told could be triggered by a defective NIC or a computer infected with a trojan/virus) however the 5505 doesn't allow you to shun based on one of those signatures being detected, it allows either or all of 3 actions: drop (packet to be dropped), reset (reset the entire connection) or alarm (syslog).

In regards to info/attack signatures, have a look at ip audit. This is out of my own config:

fw-ASA5505(config)# show run ip audit info

ip audit info action alarm drop

fw-ASA5505(config)# show run ip audit attack

ip audit attack action alarm reset



This Discussion