Solved: ASA Block Current Session

george.tsanava · ‎12-03-2015

hello

I have ASA 5525 and i create on it access rule to permit ping from 172.16.10.10 to 172.16.20.10

im pinging 172.16.20.10 from 172.16.10.10 with -t

now i want to deny ping. i modified this access rule to deny ping.

but ping wasnot interrupted automatically.

i stopped it manually on 172.16.10.10 and when i tryed to ping 172.16.20.10 again then it was denyed.

question is how to block current session on asa to deny all unwanted traffic immediately, and no to stop it manually or without shutting down interfaces?

sorry for my english :) i am new to asa.

thank you in advance.

Karsten Iwen · ‎12-03-2015

Changing the access-list doesn't delete active sessions on the ASA. You can make it work in two different ways:

Do a "clear conn ..." to delete the actual session. The command takes various parameters that you can see with "clear conn ?".
Do a "shun IP-ADDRESS". This command will block all connections from this IP until you manually remove the shun.

View solution in original post

Karsten Iwen · ‎12-03-2015

Changing the access-list doesn't delete active sessions on the ASA. You can make it work in two different ways:

Do a "clear conn ..." to delete the actual session. The command takes various parameters that you can see with "clear conn ?".
Do a "shun IP-ADDRESS". This command will block all connections from this IP until you manually remove the shun.

george.tsanava · ‎12-04-2015

thank you karsten :)