Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1571
Views
0
Helpful
2
Replies

Shun configured but not working

spunner
Level 1
Level 1

‎07-27-2018 08:52 AM - edited ‎02-21-2020 08:01 AM

have had scanning threat enabled for years.  New assistant typed "no shun" instead of "clear shun" and now the "show shun" doesn't show anything.  Usually have about 100 in a matter of minutes.  Have turned on and off via GUI and verified the config via CLI.  Attached is screenshot and below is config.  Any help appreciated.

 

ciscoasa-1# sh run | begin shun
threat-detection scanning-threat shun except ip-address 10.1.2.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.10.10.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.17.4.0 255.255.252.0
threat-detection scanning-threat shun except ip-address 10.200.0.0 255.255.0.0
threat-detection scanning-threat shun except ip-address 10.200.31.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.33.2.50 255.255.255.255
threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.240.0
threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.0.0

Preview file
259 KB
0 Helpful
2 Replies 2

aaron.hackney
Level 1
Level 1

‎07-27-2018 02:38 PM

Hello,

The shun command is used independently of threat-detection. 

 

shuns, when entered manually, are ephemeral and not saved in running-config. So if your shun list has been cleared out, that just means that the ephemeral shun list has been cleared. You would see the same behavior if you rebooted your device.

 

Typically, the way I understand it, shun was designed to be used in this fashion:

 

You are seeing malicious traffic from a source IP, let's say 9.9.9.9. I would normally add this IP to a blacklist, deny ACL on my edge, ingress ACL. However adding the IP to the ACL will not stop any EXISTING sessions previously made by the bad actor. So in addition to the blacklist, we issue a shun, which clears the tcp connection tables and the NAT translation tables for the offending IP address at 9.9.9.9. This way, any previously successful connections by 9.9.9.9 are immediately dropped by the shun. If there were a reboot of the box, even though shun has been cleared, the bad actor at 9.9.9.9 would still not be able to initiate any new connections because our ACL black-list would prevent any new connections.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s15.html

"Because the shun command is used to block attacks dynamically, it is not displayed in the ASA configuration."

 

Hope that helps!

-A

0 Helpful

spunner
Level 1
Level 1
In response to aaron.hackney

‎07-27-2018 04:17 PM

I appreciate your explanation. However, I could type "show shun" and it would give me a list of all IP's that are currently being shunned. I type that in now, and there is no list. Tells me nothing is being shunned. I usually get over 100 on the list within the first couple minutes after doing a clear shun command.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card