ASA 5510 Issue(inside network ddos traffic)

Unanswered Question
Mar 12th, 2009


We installed the ASA 5510 in our core network.

I installed Desktop insid ASA 5510(inside), outside is Core Switch

the diagram like below

Desktop(attacker) -- ASA(Transparent) -- Core Switch.

the desktop's default-gateway is Core Switch.

when We lunched the DDos Attack from desktop to victim server located core secure zone, the ASA didn't forward ddos traffic,

I found the count TX/RX pps rate equal on ASA, Why This Issue happen?

our purpose is that the ASA must forward ddos traffic from inside to outside victim server.

In my think, the ASA filterted ddos traffic from inside host desktop.

I disabled inspection(global_policy), but no effect.

What function did ASA do so that?

I should forward ddos traffic from inside attack to outside victim server.

the total topology like below

attacker -- (in) asa (out) -- core -- victim.

this is test bed.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
robertson.michael Fri, 03/13/2009 - 12:32

Hi Seungyeop,

You can find the reason that the ASA is dropping the traffic by following these steps:

1. Setup an ASP drop capture:

ASA(config)# capture drop type asp-drop all

2. Clear the ASP drop counters:

ASA# clear asp-drop

3. Initiate the traffic

4. Check the ASP drop counters:

ASA# show asp-drop

5. Check to see if your traffic shows up in the ASP drop capture:

ASA# show capture drop

If you see the traffic in the drop capture, that means it was dropped by one of the reasons shown in the output of 'show asp-drop'. If this is the case, you can tweak the capture by specifying a particular drop reason (just change the 'all' keyword to one of the drop reasons listed in

The traffic is likely being dropped due to a misconfiguration. If possible, please post a copy of your config and indicate what the source and destination IP addresses and port numbers are and we'll be glad to help.

Hope that helps.


syjeon Sat, 03/14/2009 - 08:34


firewall transparent

hostname Attack

domain-name default.domain.invalid




interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0


interface Ethernet0/1

nameif inside

security-level 100


interface Ethernet0/2


no nameif

no security-level


interface Management0/0


no nameif

no security-level



ftp mode passive

access-list from_out extended deny ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

access-group from_out in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username cisco password 3USUcOPFUiMCO4Jk encrypted

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh outside

ssh timeout 5

console timeout 0


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp



: end


I attached the configuration regarding your request.

I just a simple transparent configuration

the attack is located in asa inside area, and vicim located in asa outside.

our mission is that the attack's ddos traffic must be forwad to victim through transparent ASA

Regarding your opinion. the asa dropped are some of reason? if so, How can I disable the drop policy? Is it a configurable?


This Discussion