Configuring the fragment size, Blocking unwanted connections – Cisco ASA 5505 User Manual

Page 1208

Advertising
background image

57-2

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 57 Using Protection Tools

Configuring the Fragment Size

Configuring the Fragment Size

By default, the ASA allows up to 24 fragments per IP packet, and up to 200 fragments awaiting
reassembly. You might need to let fragments on your network if you have an application that routinely
fragments packets, such as NFS over UDP. However, if you do not have an application that fragments
traffic, we recommend that you do not allow fragments through the ASA. Fragmented packets are often
used as DoS attacks.

To set disallow fragments, enter the following command:

hostname(config)# fragment chain 1 [interface_name]

Enter an interface name if you want to prevent fragmentation on a specific interface. By default, this
command applies to all interfaces.

Blocking Unwanted Connections

If you know that a host is attempting to attack your network (for example, syslog messages show an
attack), then you can block (or shun) connections based on the source IP address. All existing
connections and new connections are blocked until you remove the shun.

Note

If you have an IPS that monitors traffic, such as an AIP SSM, then the IPS can shun connections
automatically.

To shun a connection manually, perform the following steps:

Step 1

If necessary, view information about the connection by entering the following command:

hostname# show conn

The ASA shows information about each connection, such as the following:

TCP out 64.101.68.161:4300 in 10.86.194.60:23 idle 0:00:00 bytes 1297 flags UIO

Step 2

To shun connections from the source IP address, enter the following command:

hostname(config)# shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id]

If you enter only the source IP address, then all future connections are shunned; existing connections
remain active.

To drop an existing connection, as well as blocking future connections from the source IP address, enter
the destination IP address, source and destination ports, and the protocol. By default, the protocol is 0
for IP. Note that specifying the additional parameters is a convenient way to also drop a specific current
connection; the shun, however, remains in place for all future connections from the source IP address,
regardless of destination parameters.

For multiple context mode, you can enter this command in the admin context, and by specifying a
VLAN ID that is assigned to an interface in other contexts, you can shun the connection in other
contexts.

Step 3

To remove the shun, enter the following command:

hostname(config)# no shun src_ip [vlan vlan_id]

Advertising