Cisco asa 5505 block random people trying to log in remotely via telnet, ftp, and SSL?

Posted on 2009-12-21
Last Modified: 2012-05-08

I am very new to the ASA 5505. I have people who appear to be attempting to log in, but keep getting denied. They are spiking the CPU of the ASA to 60%. The Source IP appears to change and they are trying to connect via telnet, ftp, SSL, etc. Can you walk me through step by step what to do to stop this?

This appears to have several times a day for small bursts of 5 minutes. The log filled up and over wrote all the infomation. Then the attempted logins stopped. When I see another attempt then I can post it.

I only have configured the device using the Cisco ASDM 5.2 for ASA.

The device is used for a site-to-site VPN for backups and for the the Cisco Web SSL VPN (1 user).

Question by:First Last
    LVL 13

    Expert Comment

    You can and should setup log server so that ASA will write log to log server. This have serval advantages:

    Log server have a lot of disk space to hold log events for a much longer time.

    In case some one hack into your ASA, the hacker can erase ASA's log entry but not able to do so unless the hacker also hack into the log server.

    There are many software that can analyze log server entry which cannot do the same when the log entry is at the ASA.

    To do that, you can download syslog server software from the web. I use the one from
    but there are many on the web.

    Configure the ASA:
    logging enable
    logging host interface_name ip_address_of_syslog_server
        logging trap severity_level
        logging facility number

    where ip_address_of_syslog_server is the IPA of the syslog server you just setup
    interface_name is the interface which connect to the syslog server
    severity_level is the level of details you want
    number is the syslog facility number so that you can find them easier later

    LVL 7

    Accepted Solution

    To stop these denied attempts from hogging your memory / cpu and bogging down your firewall, use the shun command.  You do this from global mode, not config mode, mind you (i.e. do not do "config t" first).  The command is just

    shun ip address <enter>.  So, if you're getting the IP trying to hit your firewall, and you want it to stop, do this:

    asa# shun <enter>

    This will cause the firewall to arbitrarily drop all packets from this IP without checking it's local auth database, looking for certs, etc.  They'll no longer have any impact on your firewall at all.  --TX
    LVL 1

    Author Closing Comment

    by:First Last
    This is exactly what I was looking for. Worked well!
    LVL 1

    Author Comment

    by:First Last
    All I had to do was enter enable mode, type in shun and it returned the word Successful! I'm using the ASDM GUI and my CPU Load went from 20+ Percent down to 8%. I use this connection souly for backup of servers across a site to site VPN on FIOS. I tested the backups to make sure they still work, because I wasn't sure if the IP was something needed. They still work. The syslog messages are now clean too. Thank you Texas Billy!

    FYI The errors I were getting in the syslog before the shun command every second were as follows:

    IP=, Removing peer from peer table failed, no match!
    IP=, Error processing payload: Payload ID 1
    LVL 7

    Expert Comment

    If you were getting those errors, that was a remote host that was trying to build a vpn tunnel to your firewall.  Probably not anything malicious, just somone out there that had a typo in their remote vpn peer, and they were pointing at you instead of at their host.  Most likely that's it, anyway.  Glad it's working.  --TX

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now