cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

820
Views
0
Helpful
2
Replies
spunner
Beginner

Shun configured but not working

have had scanning threat enabled for years.  New assistant typed "no shun" instead of "clear shun" and now the "show shun" doesn't show anything.  Usually have about 100 in a matter of minutes.  Have turned on and off via GUI and verified the config via CLI.  Attached is screenshot and below is config.  Any help appreciated.

 

ciscoasa-1# sh run | begin shun
threat-detection scanning-threat shun except ip-address 10.1.2.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.10.10.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.17.4.0 255.255.252.0
threat-detection scanning-threat shun except ip-address 10.200.0.0 255.255.0.0
threat-detection scanning-threat shun except ip-address 10.200.31.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.33.2.50 255.255.255.255
threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.240.0
threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.0.0

2 REPLIES 2
aaron.hackney
Beginner

Hello,

The shun command is used independently of threat-detection. 

 

shuns, when entered manually, are ephemeral and not saved in running-config. So if your shun list has been cleared out, that just means that the ephemeral shun list has been cleared. You would see the same behavior if you rebooted your device.

 

Typically, the way I understand it, shun was designed to be used in this fashion:

 

You are seeing malicious traffic from a source IP, let's say 9.9.9.9. I would normally add this IP to a blacklist, deny ACL on my edge, ingress ACL. However adding the IP to the ACL will not stop any EXISTING sessions previously made by the bad actor. So in addition to the blacklist, we issue a shun, which clears the tcp connection tables and the NAT translation tables for the offending IP address at 9.9.9.9. This way, any previously successful connections by 9.9.9.9 are immediately dropped by the shun. If there were a reboot of the box, even though shun has been cleared, the bad actor at 9.9.9.9 would still not be able to initiate any new connections because our ACL black-list would prevent any new connections.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s15.html

"Because the shun command is used to block attacks dynamically, it is not displayed in the ASA configuration."

 

Hope that helps!

-A

I appreciate your explanation. However, I could type "show shun" and it would give me a list of all IP's that are currently being shunned. I type that in now, and there is no list. Tells me nothing is being shunned. I usually get over 100 on the list within the first couple minutes after doing a clear shun command.