Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 shun options?

I have searched for an answer on this with no luck.

My question is in an ASA 5520 v7.2, is the correct syntax to shun a complete network block;

ASA(config)# shun 192.168.1.0

Every documented procedure I have found only talks about specific IP addresses, not entire range or subnet.

Thanx for any advice.

Wayne

1 REPLY

Re: ASA 5520 shun options?

Hi Wayne,

I think the reason why shun command does not support the network ID, only specific individual address was due to the connection pair registered in firewall connection table that contains IP to IP session. Firewall will examine this table and the connection building process to identify and shun the specified connections - based on source and destination address pair.

FWSM 2.x:

Firewall#shun src_ip [dst_ip sport dport [protocol]] [vlan_id]

PIX 6.x:

Firewall#shun src_ip [dst_ip sport dport [protocol]]

PIX 7.x:

Firewall#shun src_ip [dst_ip sport dport [protocol]] [vlan_id]

Rgds,

AK

1094
Views
0
Helpful
1
Replies
CreatePlease login to create content