Tow ASA-5520 problem

Unanswered Question
Nov 1st, 2007
User Badges:

Hi all team :

I have two ASA connected together one with IPS module and the another with AntiX module, the inside interface of the first one is connected to the outside of second one

The first one have default route to the ISP “internet” and the second have default route to the first one , I don't do static in the first one coz all IP are public and I run ver 7.2 on both ASA so all my ASA will work like a router , well my problem is the second ASA can not get access to the internet , when I open the logging in the first ASA I can see that the first ASA deny the second ASA by saying :

“%ASA-2-106017: Deny IP due to Land Attack from xx.xx.xx.66 to xx.xx.xx.66”

When I remove the second one and but my lap top with the same IP address I can connect to the internet but when I but the second ASA I can not, so I know there is a special configuration when you connect two ASA to work together.

So can any one help please?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
msosabar Fri, 11/02/2007 - 08:53
User Badges:


I tried to go trough the configurations but without IP addresses is difficult.

The syslog message 2-106017 means that The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems, please confirm that you don't have same IP addresses on the Firewalls and also include a permit icmp any any on line 1 of the access-list OUTSIDE_IN in the first ASA and then try to ping first the outside interface of the Secondary PIX, if that works, then try to ping and turn on debug icmp trace on both firewalls and look at the output.

emad.silicon Sat, 11/03/2007 - 03:30
User Badges:

Hi Freind:

first of all thank you for your car and help

then I know what the message 2-106017 mean but i want to inform you that the IP i get in this message was the IP of secoand ASA-AntiX

so i know there is no spoof attack it just false positive alarm. But about the real IP address I can not give it ,you know friend there is so many People reading the site so I can not post my rewal IP even if I was secure my network very well. what ever thanx for your help friend.

excession Sun, 11/04/2007 - 12:40
User Badges:

Hi Emad,

I recommend using "packet-tracer" to trace a packet going through the ASA-AntiX, This will help by tracing what happens to the packet when it goes though the ASA.

I agree that without IP addresses this is hard to troubleshoot. Using "packet-tracer" may help you see the problem from your end. Details on this command may be found using command lookup tool.*%22&Paging=25&ActionType=getCommandList&Bookmark=True

The example given in the command reference is hostname# packet-tracer input inside tcp www aol detailed

You will need to use something similar but replace IPs and specify the type of traffic you are experiencing problems with.

Let me know how you get on.


This Discussion