ASA shun hosts and QoS
Hi, I'm having trouble configuring Threat-detection and QoS polices at the same time.
The problem is that if I have QoS rules enabled, this is policing a traffic defined by ACLs, I can't enable at the same time the threat-detection feature "Shun hosts detected by scanning threat" because it shuns the hosts on which there is applying the policing.
I suppose this is because the policing is based in hits on ACL's so the ASA thinks this is an attack.
So, how can I resolve this? How can I have policing and shunnig enabled at the same time?
Thanks
Hi,
Weird stuff, one feature doesnt necessarily has to do anything with the Other. Scannig threat what is does is to take statistics of a host in specific and determine if it is sweeping the network or trying to find out if there is a host checking which ports/networks are available. You have to check what is the factor that is causing the shun to be tiggered. There are a lot of thresholds on scanning theat detection that you will need to modify if it is causing an issue.
By the thresholds I mean the following table:
Packet Drop Reason Trigger Settings
Average Rate Burst Rate
•DoS attack detected
•Bad packet format
•Connection limits exceeded
•Suspicious ICMP packets detected
100 drops/sec over the last 600 seconds.
400 drops/sec over the last 20 second period.
80 drops/sec over the last 3600 seconds.
320 drops/sec over the last 120 second period.
Scanning attack detected
5 drops/sec over the last 600 seconds.
10 drops/sec over the last 20 second period.
4 drops/sec over the last 3600 seconds.
8 drops/sec over the last 120 second period.
Incomplete session detected such as TCP SYN attack detected or no data UDP session attack detected (combined)
100 drops/sec over the last 600 seconds.
200 drops/sec over the last 20 second period.
80 drops/sec over the last 3600 seconds.
160 drops/sec over the last 120 second period.
Denial by access lists
400 drops/sec over the last 600 seconds.
800 drops/sec over the last 20 second period.
320 drops/sec over the last 3600 seconds.
640 drops/sec over the last 120 second period.
•Basic firewall checks failed
•Packets failed application inspection
400 drops/sec over the last 600 seconds.
1600 drops/sec over the last 20 second period.
320 drops/sec over the last 3600 seconds.
1280 drops/sec over the last 120 second period.
Interface overload
2000 drops/sec over the last 600 seconds.
8000 drops/sec over the last 20 second period.
1600 drops/sec over the last 3600 seconds.
6400 drops/sec over the last 120 second period.
As you can see on the following document:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html#wp1072953
Scanning threat is based on the threat detection statistics. So you will need to modify those in order to avoid the host to be shunned.
That being said, I think if you only enable threat detection alone, it would probably to the same thing as if it was configured in conjunction with QoS.
Bottom line (and sorry for all the info), modify the threat detection rate values and you should be ok.
Mike
Similar Messages
-
IDS and Shun Host/Shun Connection
Is an alert created when a Shun Connection or Shun Host action conditions are met ?
Thanks and Regards
MarinaThere are 2 methods for a Shun (Connection or Host) to be created: manual and automatic.
With a manual shun request, the user requests (through IDM or SecMon) for the sensor to shun a specific address (or connection) for a specific amount of time.
In this case the request is manual and there will not be an alert created. Instead there is a status message that the shun was requested.
With an automatic shun, the user configures the sensor to do an automatic shun (connection or host) when a specific signature is triggered.
If the signature is triggered then the user will see 2 messages created on the sensor. The first is the alert itself, and the second is the shun request that sensorApp generated (that the network access controller process also receives, it is the network access controller that executes the shun).
There are, however, a few caveats to this.
1) If the alert is filtered in the alarm-channel then then neither the alert nor the shun request will be generated and the host/connection will not be shunned.
2) If the alert is being Summarized, then only 1 shun request should be sent for the first alert, BUT there is a known bug on some signatures where the shun request is being sent for every alert within the summary period. So if the summary alert is a summery of 200 alerts, then you would have seen 200 actual shun requests. This is being corrected in a future version. -
Command to see host and static nat for the same object together
I have researched this but cannot find an answer. ASA running version 8.5.
When you create the config using object NAT you enter the commands as follows
object network <object name>
host x.x.x.x
nat (inside,outside) static y.y.y.y
When the config is displayed it separates the host and nat commands in two different sections of the config as follows
object network <object name>
host x.x.x.x
object network <object name>
nat (inside,outside) static y.y.y.y
Is there a command that will display it all together (like it was typed in)? Show NAT is something like what I am after but without all of the extra info such as translate_hits, untranslate_hits etc. I need this information but cleaning up the output of a show nat is going to be tough.
Any suggestions?
Thanks.Sorry, show nat detail is what I meant in the original post in place of show nat. Show nat detail still has all of the extra info I was trying to avoid. Guess I will be editing a text file.
Thanks for the reply. -
ASA 8.4 and NATControll
For ASA v8.3 and above we don't need to use nat-controll, traffic from high security interface can go to low security interface without matching NAT statements.So does the ASA automatically NAT s the outgoing traffic to the outside interface by default?
For example
ASA inside int---10.1.1.1
outside int---120.11.1.1
when the inside hosts try to go out they will be NATed to 120.11.1.1 by default on version 8.3 and later.is that right?Thanks Dan. I should have asked my above question differently, please let me know whether my below explanation is correct or not.
If nat-control is enabled-- for the inside hosts (sec level-100, IP-10.x.x.x) to talk to dmz hosts (sec level-50, IP-192.x.x.x) we need a matching NAT statment like
nat (inside) 1 0.0.0.0 0.0.0.0
global(dmz) 1 interface
for ASA Version 8.3 and above, since there is no nat-control, the inside hosts can talk to dmz hosts without any NAT statement as long as the access-list permits that communication if there is any. -
ASA DMZ zone and Unix proxy server
Hi.
i have router which all nat translation done at here. i have a asa and core sw.
192.168.1930.0/24 subnet my user and some server are located at this subnet. this subnet created at core sw.
int vlan 393
ip address 192.168.193.1 255.255.255.0
core sw connected to asa inside interface.asa inside interface ip 172.30.30.1 and at core sw site this port access vlan 8 which is
int vlan 8
ip address 172.30.30.2
at core sw at i have a default route to asa.
ip route 0.0.0.0 0.0.0.0 172.30.30.1
and asa site
route inside 192.168.193.0 255.255.255.0 172.30.30.2
all of them are ok.
i think that is ok.
at asa i have dmz zone which ip address:
interface Ethernet0/1
description connect to CoreSW
nameif inside
security-level 100
ip address 172.30.30.1 255.255.255.0 standby 172.30.30.3
interface Ethernet0/2
description DMZ zone connect mail server
nameif DMZ
security-level 50
ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2
my proxy server inside interface connected to asa dmz zone and ip address 172.16.10.254 and outside interface is connected asa outside site which mean that is same subnet of asa outside interface which is 10.0.0.254 and then 10.0.0.254 i do static nat at router. i have no problem at nat translation.
i want my 192.168.193.0 subnet pass througth from proxy when this subnet want to connet internet.
i wrote
static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0
and access-list
access-list from_dmz_to_in extended permit ip host 172.16.10.254 any
access-group from_dmz_to_in in interface DMZ
at this time what is up?
the user can not access internet and what i do? i wrote proxy server inside ip and default port 3128 at user internet explorer properties.
internet explorerr--tools-properties-connection-lan settting and show there 172.16.10.254 and port 3128.
at this time my user connect internet when i wrote this. when i remove this they can not connect internet
but i do not want write anything at my user. how i solved this?
after that one problem occur.
when my server to do nslookup it can not work.
i thnik that it is true because we have only one port 3128 is open and my server need udp 53.so it can not work
how i solve this issue?
as you see my access-list all of is open and i do
static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0
it is this wrong proxy connection???
musti change proxy server inside interface to other device or asa other interface?
thanks.There is 2 way the proxy server can work, ie: either transparent or explicit proxy.
From your explaination, explicit proxy works just fine when you configure the proxy settings on your browser.
The reason why transparent proxy does not work is because:
1) When user browser connects to the Internet, the ASA default gateway is via the outside interface, that is why the Internet traffic is not being routed transparently towards your proxy server which is connected to the DMZ interface.
The static NAT statement configured on the ASA does not perform redirection. If you would like to transparently route the internet traffic towards the proxy server on DMZ, you would need to route the traffic towards the proxy server. With the current topology that you have, it is not achievable on the ASA. ASA does not support Policy Based Routing, nor it supports WCCP when the user and the proxy server is on different interfaces.
2) Also need to find out if the proxy server itself supports transparent proxy.
Otherwise, since explicit proxy works, why don't you just push the proxy settings to the browser via Active Directory Group Policy? -
ASA policy PAT and src/dst port considerations!!
static (inside,outside) tcp 4.2.2.2 443 10.1.2.3 443 netmask 255.255.255.255
What happens/is translated when a packet comes from the Internet destined for 4.2.2.2 with ..........
A:Src tcp port 1025 and dst tcp port 443
B: Src tcp port 443 and dst tcp port 1025
and, in the reverse direction from 10.1.2.3 back towards the internet
A:Src tcp port 1025 and dst tcp port 443
B: Src tcp port 443 and dst tcp port 1025
Or; does
static (inside,outside) tcp 4.2.2.2 443 10.1.2.3 443 netmask 255.255.255.255 only affect packets with dst tcp port 443
Or, my real question - will this policy NAT handle two way comms and in the manner TCP should work?What happens/is translated when a packet comes from the Internet destined for 4.2.2.2 with ..........
A) the packet will be redirected to 10.1.2.3 on port 443
B) The packet will be drop by the ASA as there is no port-forwarding for port 1025 ( just for 443)
and, in the reverse direction from 10.1.2.3 back towards the internet
A) Packet from a higher security level to a higher is going to be allowed by default if you have the right translation
B) The ASA will have already a entry on all of its table for this connection ( xlate,local-host and conn Table) so the traffic will be allowed without any inspection.
static (inside,outside) tcp 4.2.2.2 443 10.1.2.3 443 netmask 255.255.255.255 only affect packets with dst tcp port 443
Port-Forwarding is only for inbound connections, the outgoin packet for the same connection will hit this nat but if you start a new brand connection ( outbound) you will need a different nat
Regards,
Julio
Rate all the helpful posts -
Using Host and FPGA.vi in Teststand
Does anyone know how to use the Host and FPGA vi's in Teststand?? A National App Engr told me I have to call the Project that the vi is in to get all the functionality of the FPGA. How do you call a Project in Teststand??
ThanksEnsure you are using the TestStand version 2010 or above. Create a new instance of a sequence and add a LabVIEW action step to it. Go to Module panel and browse for a LabVIEW project as displayed below.
-
Hi - I would like to build the logic in which it should accomodate the communication redundancy using serial RS-232 for Data Transfer b/w Host and RT irrespective of TCP/IP Data Transfer.
I want to do data transfer b/w host and RT through RS232 VISA portal whenever TCP/IP ethernet cable has been unplugged from the controller continuosly , it should keep on checking for TCP/IP link re-establishing also , when ever the tcp/ip link established again that time the communication should be using in that link only. This is accomplished by deploying the RT vi as execuatbale file. I made some logic regards to the above said logic , bur it was not working as much I expected.
I request you to go through the attached two VI's and let me know , what I did wrong in that,
Please do the needful.
Attachments:
TCP_Serial_Host.vi 33 KB
TCP_Serial_RT.vi 41 KBeven i am new to this topic and i am trying to get familiar with these protocols
refer to tcp server/client examples in labview examples -
Sending email to 10,000 addresses without knowing Host and Protocols!!
Context:
I am building an "eMail Marketing Campaign" application which takes a list of email addresses (unlimited) and sends an eMail to all of them.
My servlet creates an instance of "MyMailHandler.java/class" and passes a list of addresses.
Problem:
If I want to send email to different user, do I need to know about everyOne's HOST and PROTOCOL. My application recieves list of addresses from a remote server of a data-selling-company so they don't have that info.
Following is the code (hardCode!) of MyMailHandler.
properties.put("mail.smtp.host", "MAIL.DMCDATABASE.COM");
properties.put("mail.transport.protocol", "IMAP");
Question:
How do I send emails to receivers without knowing everyOne's host and Protocol?????? (new to JavaMail)No, you only need to know the name of your own mail host. It will send the e-mails to those 10,000 addresses for you. And the protocol for sending mail is SMTP, that's all you need to know to send mail. IMAP and POP are protocols for storing received mail messages and so are not relevant to your task.
-
How do I change an IP address of SQL Server which is locally hosted and is not on cluster?
Hi All,
How do I change an IP address of SQL Server which is locally hosted and is not on cluster?
I am asking about IP for SQL Server, is there a way we can assign a different IP to SQL Server other than the server's(host) IP address? like the same what we do in a clustered env.
aaFull explanation can seen here:
SQL Server: Configure Listening IP, Port, and Named pipe
http://ariely.info/Blog/tabid/83/EntryId/151/SQL-Server-Configure-Listening-IP-Port-and-Named-pipe.aspx
[Personal Site] [Blog] [Facebook] -
I had a iPhone 3G and I change it in to a iPhone 4G 32GB! I have 3 apple ID account. The one I used is <edited by host> and I know my password but it ask me for my security question and I forgot it! It send a veify email the answer the an email to <edited by host> and the email <edited by host> that is my other apple ID and the password work on apple but my yahoo account I forgot my password and security question and it won't verify to my email on to my apple email. so it send the answer to <edited by host> and I can't get it! So Can u do something? Both account r also on my iCloud. I can open both apple account but it won't let me buy nothing on my <edited by host> ! On my <edited by host> that one dose let my buy thing but I had lot of thing I bought on <edited by host> I bought lots of movies music and app. I spend lot of money on this account.
It's a really bad idea to post your email addresess - it's an invitation to spam - and I've asked the Hosts to remove them.
This is a user-to-user forum and no-one on here can take any direct action. If your Yahoo address is not working that's something you would need to take up with Yahoo - have you checked it by sending yourself an email to it?
Otherwise you will need to contact Support: go to https://expresslane.apple.com/ and click on 'iTunes' in the center column and then 'iTunes Store' in the right-hand column and proceed from there. -
Following the book in chapter 2 I think Ivé followed everything correctly, but have encluded all the things I've edited below.
I was using wamp with no problems but after trying to set up a virtual host and now using xampp im abit lost its probabsomething stupid but I can find the prob.
(This post is abit long and dragged out so I used some colour to try ease the reading..)
When I try to view a dynamic page in live view or in firefox I get the following error:
**when using:
<VirtualHost *:80>
DocumentRoot c:/xampp/htdocs
ServerName localhost
</VirtualHost>
result:
Access forbidden!
You don't have permission to access the requested object. It is either read-protected or not readable by the server.
If you think this is a server error, please contact the webmaster.
Error 403
thegoodlife
2009/10/13 12:47:48 PM
Apache/2.2.12 (Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0
*when using:
<VirtualHost *:80>
DocumentRoot c:/htdocs
ServerName localhost
</VirtualHost>
result:
Object not found!
The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again.
If you think this is a server error, please contact the webmaster.
Error 404
thegoodlife
2009/10/13 12:32:58 PM
Apache/2.2.12 (Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0
This is what I've done, blue indicating where I have or was meant to edit, red being the relivant context. (hope it helps )
1. Created a new folder called htdocs (C:\htdocs)
2. Changed the pathname to:
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot "C:/htdocs"
and
# This should be changed to whatever you set DocumentRoot to.
<Directory "C:/htdocs">
3. Created vhosts folder; with a sub-folder called thegoodlife (C:\vhosts)
4. entered new vhost:
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 dwcs4
127.0.0.1 thegoodlife
127.0.0.1 bin.errorprotector.com ## added by CiD
5.It says uncomment the command by removing the #, (Supplemental configuation.), but this is the origional file; already uncommented?
# Real-time info on requests and configuration
Include "conf/extra/httpd-info.conf"
# Virtual hosts
Include "conf/extra/httpd-vhosts.conf"
# Distributed authoring and versioning (WebDAV)
Include "conf/extra/httpd-dav.conf"
6.Set the permissions and changed the code as instructed, unsing (c:/xampp/htdocs) as advised.
# You may use the command line option '-S' to verify your virtual host
# configuration.
<Directory C:/vhosts>
Order Deny,Allow
Allow from all
</Directory>
# Use name-based virtual hosting.
##NameVirtualHost *:80
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
<VirtualHost *:80>
DocumentRoot c:/xampp/htdocs
ServerName localhost
</VirtualHost>
<VirtualHost *:80>
DocumentRoot c:/vhosts/dwcs4
ServerName dwcs4
</VirtualHost>
<VirtualHost *:80>
DocumentRoot c:/vhosts/thegoodlife
ServerName thegoodlife
</VirtualHost>
Then creating the site definition:
local root forlder: C:\htdocs\thegoodlife\
testing server folder: C:\vhosts\thegoodlife\
URL prefix: http://thegoodlife/
hope i've covered all area's where I could have gone wrongJust one more thing - the description of what i did while first Kernel appeared:
Happened 2 days ago. Wasn't turning it off for like a day, only sleep mode by closing it. Worked fine all day, wasn't doing anything, except for checking mail 2-3 times and having windows 7 virtual machine opened but doing nothing, everything was going fine. Then closed it without turning off.
Opened 3-4 hours later, everything was working fine for 30 minutes of checking mail, then Kernel appeared. After that pretty much everything i did is described in part 1-5.
Note: all the time MBP was connected to internet via wifi, so updates to both MBP and virtual machine of all programs were possible.
I only shared downloads and desktop folders, so windows couldn't have access to system folder of Mac Os.
Hope this might help...Thanks again. -
What is required in the HOST and QUEUE field when ...
Hi
When setting up my printer, i fill the options identical to what follows:
PRINTER: SAMSUNG HOME
DRIVER: GENERAL
BEARER: LPR <-----------------------------( NOT SURE IF IT IS THE CORRECT OPTION TO SELECT )
The following fields appear once LPR is selected:
ACCES POINT : HOME
HOST: WHAT COMES HERE?
USER: SKY00BER
QUEUE: WHAT COMES HERE?
ORIENTATION: PORTRAIT
PAPER SIZE: A4
if it helps, my printer is SAMSUNG CLX-3175FW. It is Wifi Enable and is connected to my HOME acces point.
please do correct me if there has to be changes to the BEARER or anything else.
i could really use some help.
thanks in advanced.sky00ber wrote:
Hi,
What is required in the HOST and QUEUE field when setting a WIFI printer?
When setting up my printer, i fill the options identical to what follows:
PRINTER: SAMSUNG HOME
DRIVER: GENERAL
BEARER: LPR <-----------------------------( NOT SURE IF IT IS THE CORRECT OPTION TO SELECT )
The following fields appear once LPR is selected:
ACCES POINT : HOME
HOST: WHAT COMES HERE?
USER: SKY00BER
QUEUE: WHAT COMES HERE?
ORIENTATION: PORTRAIT
PAPER SIZE: A4
if it helps, my printer is SAMSUNG CLX-3175FW. It is Wifi Enable and is connected to my HOME acces point.
please do correct me if there has to be changes to the BEARER or anything else.
HELP URGENTLY NEEDED!
I'm not sure but I give it a try.Turn your security(WPA/WEP) and Firewall temporarely off. HOST is the IP address of the printer. QUEUE can be YES or a specific amount of prints, like 1,2,3......
If I look at the manual of your printer I see that you can find the IP and MAC addresses in the Network Configuration Report.I don't know what the USER is doing there because if there is a user then there must be a password.
‡Thank you for hitting the Blue/Green Star button‡
N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009 -
How to change Host and domain name on APS 10g R2
Hi,
I have installed oracle application server 10g rel.2 I want to change the host and domain of the system, what should I do, Plz help.
Thanks and Regards.
KhawarHi,
Thanks to all of you for reply, I started without reading any manual to modify host and domain name and after expending several hours finally decided to reinstall APS, with new installation forms runing ok but report server having problem if you see the status of report server in enterprise manager it shows green mark(if you want to stop it via EM it will not), if you check with Report Queue manager it says no report server with the given name,
if you check the report with GETSERVERINFO via browser it says
"REP-51002 Bind to report server AAAAA failed. some one have idea."
some one plz explain me how can I fix it.
Thanks and Regards.
Khawar -
How to change Host directory location?(Problems with host and ed)
Hi I'm having a problem with the commands Host and Ed. The problem being that when I run them they send back an error saying
SQL>host
/bin/gnome-terminal: No such file or directory
or
SQL> ed
Wrote file /home/joe/Documents/editfile.sql
/bin/gnome-terminal: No such file or directory
The problem is that /bin/gnome-terminal is not the correct location for my terminal directory, /usr/bin/gnome-terminal is. Are there any suggestions how I can be able to change it? I'm running SQLPlus 11.2.0.1.0 and I'm using ElementaryOS(made from Ubuntu). Let me know if there is any other information needed to help fix this.This is not a SQL or PL/SQL language question and thus off topic. As it is Linux o/s related, I think it is better suited for the Oracle Linux forum space.
My guess is, from the little info posted, that your TERM environment variable is not correctly set.
Maybe you are looking for
-
I have Microsoft Office 2004 installed on my computer. whenever i copy a block of text from Word to paste into an iChat window, it copies over as an image. I think it is actually a pdf file. A direct connection is initiated and the file is sent as an
-
I am using cflogin for processing login page and use session variable to store info, but I have a problem that when I login to admin page (www.mysite.com/admin/index.cfm) It has no problem but when I return to my homepage (www.mysite.com/index.cfm ty
-
Trying to edit a wordpress then in dreamweaver cc with mamp but things don't work out. i've been searching through the net bt i didn't find an answer. i've followed many tutorials and did exactly the things that was asked but dreamweaver can't establ
-
Project Server 2010 TimeSheet line classification sorting order- Issue
Hi, We have PS 2010 SP-2 environment , and having few time sheet custom line classifications in order to sort them I have prefixed my custom time-sheet line with numbers like 100, 110, 115 and it is perfectly sorted in Line Classification settings un
-
Attaching a JOptionFrame to an Applet
Is it possible to attach a JOptionPane to an applet? If so how can this be done? Thanks.