05-07-2013 10:45 PM - edited 03-11-2019 06:40 PM
We have an ASA 5505 and we keep getting short bursts of ICMP packets (5000 in one second) They will do this and it just simply overloads the ASA and it crashes.
Is this since it is 1000 past the 4000 connections per second capacity of the ASA 5505 or do we have a setting wrong some place that could prevent this type of overload from happening?
We are looking to prevent DoS and other attacks that prevent even a short loss of connection since the servers are getting attacked daily and we have voice streaming on through the ASA.
Result of the command: "show running-config"
ASA Version 8.3(1)
!
firewall transparent
hostname XXXXXXXXXXXX
domain-name XXXXXXXXXXXX.com
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXX encrypted
names
!
interface Vlan1
nameif outside
security-level 0
!
interface Vlan2
nameif inside
security-level 100
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server XXX.XXX.XXX
name-server XXX.XXX.XXX
domain-name privatedns.com
object network XXX.XXX.XXX
host XXX.XXX.XXX
object network server2
host XXX.XXX.XXX
object network server1
host XXX.XXX.XXX
object-group network www_servers
description Serveurs web
network-object host XXX.XXX.XXX
network-object host XXX.XXX.XXX
network-object host XXX.XXX.XXX
network-object host XXX.XXX.XXX
network-object object XXX.XXX.XXX
object-group service www_srv tcp
description les services www tcp
port-object eq ftp
port-object eq ssh
port-object eq www
port-object eq https
port-object eq 3389
object-group service www_srv_udp udp
description les services udp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host XXX.XXX.XXX
network-object host XXX.XXX.XXX
object-group icmp-type DM_INLINE_ICMP_1
icmp-object traceroute
icmp-object echo
object-group network Whitelist
description Allowed External Hosts
network-object host XXX.XXX.XXX.XXX
network-object object 2server
network-object object 1server
access-list outside_in extended permit ip object-group Whitelist object-group www_servers
access-list outside_in extended permit icmp host XXX.XXX.XXX.XXX any
access-list outside_in extended permit icmp host XXX.XXX.XXX.XXX any
access-list outside_in extended permit icmp any object-group www_servers object-group DM_INLINE_ICMP_1
access-list outside_in extended permit tcp any object-group www_servers eq imap4
access-list outside_in extended permit tcp any object-group www_servers eq 465
access-list outside_in extended permit tcp any object-group www_servers eq 587
access-list outside_in extended permit tcp any object-group www_servers eq 993
access-list outside_in extended permit tcp any object-group www_servers eq 995
access-list outside_in extended permit tcp any object-group www_servers eq 2021
access-list outside_in extended permit tcp any object-group www_servers eq 52258
access-list outside_in extended permit tcp any object-group www_servers eq 21111
access-list outside_in extended permit tcp any object-group www_servers eq 31133
access-list outside_in extended permit tcp any object-group www_servers eq 8290
access-list outside_in extended permit tcp any object-group www_servers eq 8191
access-list outside_in extended permit tcp any object-group www_servers eq 8221
access-list outside_in extended permit tcp any object-group www_servers range 5000 5100
access-list outside_in extended permit tcp any object-group www_servers eq 2238
access-list outside_in extended permit object-group TCPUDP any object-group www_servers range 62338 64838
access-list outside_in extended permit tcp any object-group www_servers eq 41234
access-list outside_in extended permit object-group TCPUDP any object-group www_servers range 7000 7500
access-list outside_in extended permit object-group TCPUDP any object-group www_servers range 20 21
access-list outside_in extended permit object-group TCPUDP any object-group www_servers range 9000 9500
access-list outside_in remark switch
access-list outside_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_1 host 224.0.0.2 eq 1985
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list global_mpc extended permit ip object-group Whitelist any
pager lines 24
logging enable
logging list e-mail-notification level critical
logging list e-mail-notification message 713050
logging list e-mail-notification message 611101-611102
logging buffered warnings
logging asdm warnings
logging mail emergencies
logging from-address email1@email.com
logging recipient-address email1@email.com level warnings
logging recipient-address email2@email.com level emergencies
logging message 733102 level emergencies
logging message 733100 level emergencies
mtu outside 1500
mtu inside 1500
ip address XXX.XXX.XXX.XXX 255.255.255.224
ip audit name Attack attack action alarm drop
ip audit interface outside Attack
ip audit attack action alarm drop
icmp unreachable rate-limit 1 burst-size 1
icmp permit host XXX.XXX.XXX.XXX echo outside
icmp permit host XXX.XXX.XXX.XXX echo outside
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
access-group outside_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh scopy enable
ssh timeout 1
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address XX.XX.XXX.XXX 255.255.255.255
threat-detection scanning-threat shun duration 3600
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server XXX.XXX.XXX.XXX source outside prefer
!
class-map global-class
description Flooding
match any
class-map global-class1
match access-list global_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global-policy
description Flooding
class global-class1
set connection advanced-options tcp-state-bypass
class global-class
set connection embryonic-conn-max 100 per-client-max 30 per-client-embryonic-max 10
policy-map flood
!
service-policy global-policy global
smtp-server XXX.XXX.XXX
prompt hostname context
hpm topN enable
Cryptochecksum:394907dc0408efcd8628b56dd2464b65
: end
05-08-2013 12:50 AM
If it's only icmp packet, you can try adding following commands:
icmp permit any unreachable outside
icmp deny any outside
so it will only allow ping/icmp packet from host x.x.x.x and deny the rest.
05-08-2013 09:37 AM
Hello ,
I would actually recommend you to go to your ISP and explain them what is going on so they can avoid that traffic to waste your bandwith,
Regards,
Julio Carvajal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide