Problem with Vulnerabilty scans opening tens of thousands of connection on ASA 5520 depleating resources crashing firewall
We have a ASA 5520 running ASA version 8.2(2)16 with 2GB of RAM. Several weeks ago we encountered a problem when scans of one of the DMZ's from our threat appliance caused the firewall to open tens thousands of connections ultimately exceeding exceeding the capicity of this firewall and creating a denial of service event. The scanning appliance has been in place for years and there were no recent static NAT or routing changes to the firewall. The scanning appliance is provided by a third party and receives regular updates. I'm trying to determine if the problem is with the firewall or the scanning appliance.
Never had these problems in the last years. But your ASA-version is quite old and I would update it with a newer version. You can go to 8.2.5 without any bigger changes to your config, but I would also consider to upgrade to 8.4.7 but that involves much work for the new NAT-syntax.
I'm planning on upgrading to 8.2.5 within the next two months but any further doesn't seem possible. We have way too many nat exempt statements and there isn't a way to test the changes to the config without it being in production.
I've recently configured a spare 5520 from scatch using the same ASA version as my production firewalls, 8.2(2)16 as part of this test firewall, I created a new DMZ VLAN in which I placed three VM's running Windows Server 2008 R2. I have made very little changes to the firewall keeping it as simple as possible. I have run numerous scans from our threat manager scanning all port on host in the /24 network obtaining similiar results as seen on our production network: Excessive CPU utilization and over ten thousand connections. I have attached a copy of the test firewall config along with screen shots of ASDM taken during the scans. Does anyone have any suggestions on how to mitigate this issue?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...