Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
0
Helpful
2
Replies

ASA 5510 Issue(inside network ddos traffic)

syjeon
Level 1
Level 1

‎03-12-2009 10:39 AM - edited ‎03-11-2019 08:03 AM

HI

We installed the ASA 5510 in our core network.

I installed Desktop insid ASA 5510(inside), outside is Core Switch

the diagram like below

Desktop(attacker) -- ASA(Transparent) -- Core Switch.

the desktop's default-gateway is Core Switch.

when We lunched the DDos Attack from desktop to victim server located core secure zone, the ASA didn't forward ddos traffic,

I found the count TX/RX pps rate equal on ASA, Why This Issue happen?

our purpose is that the ASA must forward ddos traffic from inside to outside victim server.

In my think, the ASA filterted ddos traffic from inside host desktop.

I disabled inspection(global_policy), but no effect.

What function did ASA do so that?

I should forward ddos traffic from inside attack to outside victim server.

the total topology like below

attacker -- (in) asa (out) -- core -- victim.

this is test bed.

Labels:
0 Helpful
2 Replies 2

robertson.michael
Level 3
Level 3

‎03-13-2009 12:32 PM

Hi Seungyeop,

You can find the reason that the ASA is dropping the traffic by following these steps:

1. Setup an ASP drop capture:

ASA(config)# capture drop type asp-drop all

2. Clear the ASP drop counters:

ASA# clear asp-drop

3. Initiate the traffic

4. Check the ASP drop counters:

ASA# show asp-drop

5. Check to see if your traffic shows up in the ASP drop capture:

ASA# show capture drop

If you see the traffic in the drop capture, that means it was dropped by one of the reasons shown in the output of 'show asp-drop'. If this is the case, you can tweak the capture by specifying a particular drop reason (just change the 'all' keyword to one of the drop reasons listed in http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s2_72.html#wp1174735).

The traffic is likely being dropped due to a misconfiguration. If possible, please post a copy of your config and indicate what the source and destination IP addresses and port numbers are and we'll be glad to help.

Hope that helps.

-Mike

0 Helpful

syjeon
Level 1
Level 1
In response to robertson.michael

‎03-14-2009 08:34 AM

!

firewall transparent

hostname Attack

domain-name default.domain.invalid

names

dns-guard

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

!

interface Ethernet0/1

nameif inside

security-level 100

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Management0/0

shutdown

no nameif

no security-level

management-only

!

ftp mode passive

access-list from_out extended deny ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address xxx.xxx.xxx.xxx 255.255.255.248

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

access-group from_out in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.10.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username cisco password 3USUcOPFUiMCO4Jk encrypted

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

Cryptochecksum:faf0fece26865849f10c6c0c6a41d7e4

: end

---------------------------------------

I attached the configuration regarding your request.

I just a simple transparent configuration

the attack is located in asa inside area, and vicim located in asa outside.

our mission is that the attack's ddos traffic must be forwad to victim through transparent ASA

Regarding your opinion. the asa dropped are some of reason? if so, How can I disable the drop policy? Is it a configurable?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card