Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
0
Helpful
6
Replies

network is super slow after a lot of deny tcp log in ASA 5510

nyein chan tun
Level 1
Level 1

‎06-29-2011 02:31 AM - edited ‎03-11-2019 01:52 PM

Hi all expert,

I used the ASA 5510 and in these days, facing the problem is internet is very slow. When i check in real-time log viewer debugging, i found the following logs

6|Jun 29 2011|15:47:53|106015|123.123.123.123|416|111.222.111.222|80|Deny TCP (no connection) from

123.123.123.123/416 to 111.222.111.222/80 flags ACK  on interface Inside

4|Jun 29 2011|15:47:53|106023|123.123.123.123|852|111.222.111.222|80|Deny tcp src Inside:123.123.123.123/852 dst Outside:

111.222.111.222/80 by access-group "Internal_access_in" [0x0, 0x0]

a lot of log message are come out and I notice that 111.222.111.222 ip is try to attack my network. In that moment, my network is very slow and nearly to be down.  When I block with that ip by access list, network is up again. But after a few moment, attack from other ip, it's so terrible and so tired to block a lot of ip by acl.

Please give me advise how to prevent this issue.

Thanks ,

Labels:
0 Helpful
6 Replies 6

varrao
Level 10
Level 10

‎06-29-2011 03:31 AM

Hi Chan,

I would suggest you to shun the IP address on the firewall, but this attack should be mitigated on any other upstream device rather than the firewall.

shun 111.222.111.222

Hope this helps

Thanks

Varun

Thanks,
Varun Rao
0 Helpful

nyein chan tun
Level 1
Level 1
In response to varrao

‎06-29-2011 04:09 AM

Hi Varun,

         Thanks for advise. but attacking ip is always changing from different location. How can I prevent for multiple location & IP in ASA.

Thanks,

Chan

0 Helpful

varrao
Level 10
Level 10
In response to nyein chan tun

‎06-29-2011 06:10 AM

Is the source IP always changing?? Or is it always sending requests for a different destination IP???

Varun

Thanks,
Varun Rao
0 Helpful

r-reed
Level 1
Level 1
In response to nyein chan tun

‎06-29-2011 07:33 PM

Your log show that this is being blocked on inside.  Maybe

123.123.123.123 is infected?

0 Helpful

nyein chan tun
Level 1
Level 1
In response to r-reed

‎06-30-2011 11:44 PM

Hi Varun & Reed,

             Source IP is always change ( that is not  our local source IP ) and Destination IP is not change. It seem like  that :

4|Jun 29 2011|15:47:53|106023|123.123.123.123|852|111.222.111.222|80|Deny tcp src Inside:123.123.123.123/852 dst Outside:

111.222.111.222/80 by access-group "Internal_access_in" [0x0, 0x0]

4|Jun 29 2011|15:47:53|106023|100.200.100.200|852|111.222.111.222|80|Deny tcp src Inside:100.200.100.200/852 dst Outside:

111.222.111.222/80 by access-group "Internal_access_in" [0x0, 0x0]

Actually  111.222.111.222, 123.123.123.123 and 100.200.100.200 are not our  Internal public IP. When I block 111.222.111.222,  internet is ok and  after a few time come from another IP. So it's terrible to monitor and  try to block all IP in every time.

I try to configure  in outside interface with this command " ip verify reverse-path  interface outside " , and also try to block with shun command.

Please suggest me what should I do to prevent my network .

Thanks,

Chan

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to nyein chan tun

‎07-08-2011 03:47 PM

Hi Chan,

You can look into threat detection with shunning enabled as an option. But BEWARE, that can cause high CPU on the firewall and should be used only temporarily. Better to have your ISP look into it and try blocking the source of the attacks.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card