🧐了解PIX当前状态很重要，大量连接会消耗大量内存，可能导致处理速度变慢或崩溃。可通过命令查看内存使用情况，如' Mambo#showmemory'。

📋PIX是NAT机器，每个连接都应通过NAT翻译，会创建xlate条目和conn条目。可使用相应命令查看其数量，如' Mambo#showxlatecount'和' Mambo#showconncount'。

🌐通过' Mambo#showtraffic'命令可查看哪个接口流量更多，以了解PIX哪一侧受到攻击。还可通过' Mambo#showlocal-host | inclhost|count|embryonic'查找滥用资源的IP。

🛡️若要临时阻止某站点，使其无法创建新连接并删除现有连接，可使用相应命令，如' Mambo#shun 10.10.1.19'。

Here is a short how-to I wrote some (well ,long) time ago for the newcomers  to our department. It was written for the PIX , but applies to ASA as well in most cases,see for ASA notes for differences.Usually it starts with client complaining about slow internet, or users that already work in net are ok but new ones can't connect, sometimes PIX crashes periodically (depends on case - every few hours), seldom but client directly asks what station in LAN is bombing the PIX with connections.Here are the steps to try to see what is going on: 1) Always worth knowing the current state of the PIX, lots of connections consume lots of memoryand this  after all causes crash/slowness of processing/  Mambo# show memory

Free memory:        42557840 bytesUsed memory:        24551024 bytes-------------     ----------------Total memory:       67108864 bytes

2) as you may know PIX is a NAT machine - every connection (outbound/inbound)should pass NAT translation, which creates (every connection) xlate entry (in IOS it is calledNAT table) (ASA note:you may disable NAT ,not to say it may work in Transparent mode) Mambo# show xlate count

1613 in use, 5246 most used; In abused PIX you would see dozens of thousands of xlate entries, e.g. 55550 ; beyond xlate entry, every connection creates conn entry in PIX memory to enable stateful;inspection, to see their count use :```  Mambo# **show conn count**

5271 in use, 34824 most used

 ; next command will show on which interface there is more traffic - to know what side of the PIX is being attacked Mambo# **show traffic**  

outside:        received (in 980818.730 secs):                1113941822 packets      498552059 bytes                1004 pkts/sec   0 bytes/sec        transmitted (in 980818.730 secs):                1170564303 packets      2054434346 bytes                1000 pkts/sec   2002 bytes/secinside:        received (in 980818.730 secs):                0 packets       0 bytes                0 pkts/sec      0 bytes/sec        transmitted (in 980818.730 secs):                76 packets      4560 bytes                0 pkts/sec      0 bytes/secdmz:        received (in 980818.730 secs):                186616723 packets       3287127501 bytes                1 pkts/sec      3001 bytes/sec        transmitted (in 980818.730 secs):                196403614 packets       1465915834 bytes

 Now the main part - how to find out which IP is abusing the resources:  Mambo#  **show local-host  |  incl host|count|embryonic**  ``` local host: <10.10.1.142>, conn(s)/limit = 0/0            embryonic(s)/limit = 0/0, incomplete(s) = 0local host: <10.10.1.53>, conn(s)/limit = 106/0            embryonic(s)/limit = 106/0, incomplete(s) = 0local host: <10.10.1.205>, conn(s)/limit = 14/0            embryonic(s)/limit = 0/0, incomplete(s) = 0local host: <10.10.1.191>, conn(s)/limit = 4/0            embryonic(s)/limit = 0/0, incomplete(s) = 0local host: <10.10.1.193>, conn(s)/limit = 4/0            embryonic(s)/limit = 1/0, incomplete(s) = 0...................................................................................local host: <10.10.1.36>, conn(s)/limit = 22/0            embryonic(s)/limit = 0/0, incomplete(s) = 0local host: <10.10.1.180>, conn(s)/limit = 1/0            embryonic(s)/limit = 0/0, incomplete(s) = 0

Legend:  local host     :  Local IP of station in LAN
conn(s)/limit  :   number of conn entries (connections) and their possible limit for this IP
embryonic(s)/limit  :  number of embryonic (half-open) connections to this IP and their limit
 Looking at this output we could easily find station with most connections. Next, to get more info (if needed):   Mambo#  sh local-host 10.10.1.19

Interface Inside: 73 active, 96 maximum active, 0 deniedlocal host: <10.10.1.19>, conn(s)/limit = 105/0            embryonic(s)/limit = 45/0, incomplete(s) = 0  AAA:  Xlate(s):    PAT Global 216.163.137.3(40901) Local 10.10.1.19(3653)    PAT Global 216.163.137.3(30938) Local 10.10.1.19(1439)    PAT Global 216.163.137.3(61195) Local 10.10.1.19(3815)    PAT Global 216.163.137.3(39325) Local 10.10.1.19(2387)    PAT Global 216.163.137.3(12515) Local 10.10.1.19(1043)    PAT Global 216.163.137.3(21891) Local 10.10.1.19(2368)    .......................................................     PAT Global 216.163.137.3(64086) Local 10.10.1.19(4928)

;NOTE - here 216.163.137.3 is IP of outside interface of PIX To temporary block some station - it will not be able to create new connectionsand exsiting ones will be deleted. This block is active until next reboot.  Mambo#  shun 10.10.1.19
To see active shuns:
  Mambo#  show shunTo disable shun:
  Mambo#  no shun  10.10.1.19
Personal NOTE: Such call is a sure sign of unordered network administration . And it always starts with the key phrase - "Your line is down, we have no Internet". On my answer, after I look at MRTGgraphs of the client line and see 100% usage, that "Of course , you are using up  all your bandwidth" they reply "It is impossible, can you tell me who is abusing the line ?" While I may spend 10 mins explaing this sysadmin that PIX/ASA/etc is not a statistics/monitoring device and other solutions exist for that and MRTG is free etc., I usually give up on them and save myself 10 mins of my time and just give them what they want . In the next post I will write about doing the same in Cisco router.

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.