RE: Fishy ASA dynamic NAT behavior after IP address change

From: Tyson Scott (tscott@ipexpert.com)
Date: Mon Mar 30 2009 - 16:45:55 ART

• Next message: Narbik Kocharians: "Re: simple question regarding the Routing Table."
• Previous message: Darby Weaver: "Re: IE - "CCIE Routing & Switching Core Knowledge Simulation""
• Maybe in reply to: Alexei Monastyrnyi: "Fishy ASA dynamic NAT behavior after IP address change"
• Next in thread: Alexei Monastyrnyi: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

A lot of the basic threat detection is configured by default. You may not
have configured anything but if you do a show run all you will see what is
on by default. Maybe there was some traffic that was actually causing your
fishy behavior.

Here is the default configuration

threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate
400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate
320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100
burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80
burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate
800
threat-detection rate acl-drop rate-interval 3600 average-rate 320
burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100
burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80
burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100
burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80
burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5
burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4
burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100
burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80
burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate
1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate
1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400
burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320
burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000
burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600
burst-rate 6400
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

Regards,
 
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: tscott@ipexpert.com
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Farrukh Haroon
Sent: Monday, March 30, 2009 2:36 PM
To: alexeim73@gmail.com
Cc: security@groupstudy.com; Cisco certification
Subject: Re: Fishy ASA dynamic NAT behavior after IP address change

Seems to be related to the (newer) threat detection feature. Most probably a
bug.

On Mon, Mar 30, 2009 at 9:08 PM, Alexei Monastyrnyi
<alexeim73@gmail.com>wrote:

> Hi.
>
> The log was flooded by %ASA-4-733100 messages, like hundreds of them.
> Unfortunately I don't log level 4 to syslog, so no exact message, just a
> message ID.
>
> :"Object" as per message description on ASA 8 System Log Messages Guide
was
> [Scanning] and "rate_val" was all 10 out of 10.
>
> %ASA-4-733100: Object drop rate rate_ID exceeded. Current burst rate is
> rate_val per second, max configured rate is rate_val; Current average rate
> is rate_val per second, max configured rate is rate_val; Cumulative total
> count is total_cnt
>
>
>
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.ht
ml#wp4963969
>
> So something of NAT went crossed with security concerns of ASA box. As
> mentioned, after restart all went to normal.
>
> Cheers,
> A.
>
> Farrukh Haroon wrote:
>
>> Any details about this syslog? Can you post one?
>>
>> On Tue, Mar 24, 2009 at 11:10 PM, Alexei Monastyrnyi
<alexeim73@gmail.com<mailto:
>> alexeim73@gmail.com>> wrote:
>>
>> Hi Group.
>>
>> Just wonder if someone has come across this.
>>
>> I was changing IP address on ASA 8.0(4) system which does
>> selective dynamic PAT like below, about 30 such N-pairs.
>> nat (inside) 0 access-list nonat
>> nat (inside) N access-list xyz
>> global (outside) N IP-address/pool
>>
>> After IP change on outside interface, dynamic part NAT engine
>> stopped working. And it was a lot of [Scanning] messages severity
>> 4 in the log. Show xlat showed only static PAT entries, all
>> traffic which was supposed to get NATted or go via nonat ACL was
>> just black-holed.
>>
>> shut/no shut on outside interface didn't do. The only way I could
>> fix it is by ASA unit reload.
>>
>> I checked open caveats for 8.0(40 are open/relosved for higher
>> interim releases, no luck.
>>
>> Shall one expect restarting productin systems after IP address
>> chenge? Sounds na bit uts. :-)
>>
>> Hints are appreciated.
>>
>> Cheers,
>> A
>>
>>
>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>>
>>

• Next message: Narbik Kocharians: "Re: simple question regarding the Routing Table."
• Previous message: Darby Weaver: "Re: IE - "CCIE Routing & Switching Core Knowledge Simulation""
• Maybe in reply to: Alexei Monastyrnyi: "Fishy ASA dynamic NAT behavior after IP address change"
• Next in thread: Alexei Monastyrnyi: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:08 ART