From: Alexei Monastyrnyi (alexeim73@gmail.com)
Date: Tue Mar 31 2009 - 04:38:05 ART
Thanks guys.
I'll give it another try as soon as I get an extra ASA unit off
production. I'll update you as I go.
Cheers,
A.
Tyson Scott wrote:
> A lot of the basic threat detection is configured by default. You may not
> have configured anything but if you do a show run all you will see what is
> on by default. Maybe there was some traffic that was actually causing your
> fishy behavior.
>
> Here is the default configuration
>
> threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate
> 400
> threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate
> 320
> threat-detection rate bad-packet-drop rate-interval 600 average-rate 100
> burst-rate 400
> threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80
> burst-rate 320
> threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate
> 800
> threat-detection rate acl-drop rate-interval 3600 average-rate 320
> burst-rate 640
> threat-detection rate conn-limit-drop rate-interval 600 average-rate 100
> burst-rate 400
> threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80
> burst-rate 320
> threat-detection rate icmp-drop rate-interval 600 average-rate 100
> burst-rate 400
> threat-detection rate icmp-drop rate-interval 3600 average-rate 80
> burst-rate 320
> threat-detection rate scanning-threat rate-interval 600 average-rate 5
> burst-rate 10
> threat-detection rate scanning-threat rate-interval 3600 average-rate 4
> burst-rate 8
> threat-detection rate syn-attack rate-interval 600 average-rate 100
> burst-rate 200
> threat-detection rate syn-attack rate-interval 3600 average-rate 80
> burst-rate 160
> threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate
> 1600
> threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate
> 1280
> threat-detection rate inspect-drop rate-interval 600 average-rate 400
> burst-rate 1600
> threat-detection rate inspect-drop rate-interval 3600 average-rate 320
> burst-rate 1280
> threat-detection rate interface-drop rate-interval 600 average-rate 2000
> burst-rate 8000
> threat-detection rate interface-drop rate-interval 3600 average-rate 1600
> burst-rate 6400
> threat-detection basic-threat
> threat-detection scanning-threat shun duration 3600
> threat-detection statistics access-list
> no threat-detection statistics tcp-intercept
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S and Security
> Technical Instructor - IPexpert, Inc.
>
> Telephone: +1.810.326.1444
> Cell: +1.248.504.7309
> Fax: +1.810.454.0130
> Mailto: tscott@ipexpert.com
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Farrukh Haroon
> Sent: Monday, March 30, 2009 2:36 PM
> To: alexeim73@gmail.com
> Cc: security@groupstudy.com; Cisco certification
> Subject: Re: Fishy ASA dynamic NAT behavior after IP address change
>
> Seems to be related to the (newer) threat detection feature. Most probably a
> bug.
>
> On Mon, Mar 30, 2009 at 9:08 PM, Alexei Monastyrnyi
> <alexeim73@gmail.com>wrote:
>
>
>> Hi.
>>
>> The log was flooded by %ASA-4-733100 messages, like hundreds of them.
>> Unfortunately I don't log level 4 to syslog, so no exact message, just a
>> message ID.
>>
>> :"Object" as per message description on ASA 8 System Log Messages Guide
>>
> was
>
>> [Scanning] and "rate_val" was all 10 out of 10.
>>
>> %ASA-4-733100: Object drop rate rate_ID exceeded. Current burst rate is
>> rate_val per second, max configured rate is rate_val; Current average rate
>> is rate_val per second, max configured rate is rate_val; Cumulative total
>> count is total_cnt
>>
>>
>>
>>
> http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.ht
> ml#wp4963969
>
>> So something of NAT went crossed with security concerns of ASA box. As
>> mentioned, after restart all went to normal.
>>
>> Cheers,
>> A.
>>
>> Farrukh Haroon wrote:
>>
>>
>>> Any details about this syslog? Can you post one?
>>>
>>> On Tue, Mar 24, 2009 at 11:10 PM, Alexei Monastyrnyi
>>>
> <alexeim73@gmail.com<mailto:
>
>>> alexeim73@gmail.com>> wrote:
>>>
>>> Hi Group.
>>>
>>> Just wonder if someone has come across this.
>>>
>>> I was changing IP address on ASA 8.0(4) system which does
>>> selective dynamic PAT like below, about 30 such N-pairs.
>>> nat (inside) 0 access-list nonat
>>> nat (inside) N access-list xyz
>>> global (outside) N IP-address/pool
>>>
>>> After IP change on outside interface, dynamic part NAT engine
>>> stopped working. And it was a lot of [Scanning] messages severity
>>> 4 in the log. Show xlat showed only static PAT entries, all
>>> traffic which was supposed to get NATted or go via nonat ACL was
>>> just black-holed.
>>>
>>> shut/no shut on outside interface didn't do. The only way I could
>>> fix it is by ASA unit reload.
>>>
>>> I checked open caveats for 8.0(40 are open/relosved for higher
>>> interim releases, no luck.
>>>
>>> Shall one expect restarting productin systems after IP address
>>> chenge? Sounds na bit uts. :-)
>>>
>>> Hints are appreciated.
>>>
>>> Cheers,
>>> A
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>>>
>>>
>>>
> _______________________________________________________________________
>
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:08 ART