We have installed ASA 5505 in Datacenter and configured two zones DMZ and Inside. The App Servers are placed in DMZ and DB Servers are placed in Inside Zone. One unmanagable switch is connected with DMZ interface of FW and the second one with Inside Interface. We are experiencing so much issue in Datacenter Network and getting so much delayed response while do work on Servers and facing very strange behaviour. I used sh interface dmz stats command into FW and the report is attached for your refernce. As I am assuming number of dropping packets are huge but need your feedback also in this regard. Please help and put your feedbacks. Thanks!!!
Hi, May I know first what is ASL and I have checked NAT commands which are configured properly. I am looking very intersting thing, the shun command is enabled for three Servers in which two are from DMZ and one from Inside and all Traffic are being blocked in Syslogs output. When I run no shun command for all three Server then Server being accessible but after some time again I see that shun command is enabled for all three Servers. Please do the needful on priority basis.
The Configuration file is attached for your reference.
The shun command allows a dynamic response to an attacking host by preventing new connections and disallowing packets from any existing connection. So I would remove this for the DMZ - and then re-test connectivity.
shun Keyword to enable shunning over hosts conducting scanning
This information that I'm posting is related to an ASA5505, however I'm sure other ASAs have the same type of functionality (and better).
As far as I can see, any other SHUN entries (base license, no extra modules) would have to be added manually. There is also basic IPS for info/attack signatures (some of which, I was told could be triggered by a defective NIC or a computer infected with a trojan/virus) however the 5505 doesn't allow you to shun based on one of those signatures being detected, it allows either or all of 3 actions: drop (packet to be dropped), reset (reset the entire connection) or alarm (syslog).
In regards to info/attack signatures, have a look at ip audit. This is out of my own config:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...