Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
3
Replies

Possible VPN-related Attack on ASA?

c0ldshadow
Level 1
Level 1

‎09-27-2009 10:09 PM

I have an ASA 5505 firewall that is doing one site to site VPN.

I saw some weird stuff in the logs regarding an IP address not associated with the VPN on either side:

4 Sep 27 2009 19:19:45 713903 IP = 71.201.76.x, Header invalid, missing SA payload! (next payload = 133)

3 Sep 27 2009 19:19:45 713048 IP = 71.201.76.x, Error processing payload: Payload ID: 1

3 Sep 27 2009 19:19:45 713902 IP = 71.201.76.x, Removing peer from peer table failed, no match!

4 Sep 27 2009 19:19:45 713903 IP = 71.201.76.x, Error: Unable to remove PeerTblEntry

Is this some type of attack? If so, could this be stopped with an ACL regarding the specific host allowed to hit port 500 UDP (isakmp ) on the outside interface?

for example

access-list 103 permit udp host TheOnlyVPNPeerAllowed interface outside eq 500 log ?

Please advise.

Thanks for any help!

Labels:
0 Helpful
3 Replies 3

Yudong Wu
Level 7
Level 7

‎09-27-2009 10:26 PM

Not sure if it is a attack. If you see a lots of those message, it could be.

If you would like to use ACL to lock down your VPN session, you need:

1. no sysopt connection permit-vpn

2. Add the related ACL entry to permit IKE, ESP and the traffic between site-2-site.

Please refer to command reference

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155

0 Helpful

c0ldshadow
Level 1
Level 1
In response to Yudong Wu

‎09-28-2009 02:40 PM

hi kwu2

i suspected it was an attack because i know nothing about the ip address in the logs

i added the no sysopt conn permit-vpn command, and this to the bottom of my ACL:

access-list 101 line 8 extended permit udp host ThePublicIPofPEER interface outside eq isakmp log informational interval 300 (hitcnt=0)

access-list 101 line 9 extended permit esp host ThePublicIPofPEER interface outside log informational interval 300 (hitcnt=0)

access-list 101 line 10 extended permit udp host ThePublicIPofPEER interface outside eq 4500 log informational interval 300 (hitcnt=0)

however now i can't communicate to the remote LAN. what do i need to change?

also, i noticed that the ACL did not get any hitcnts when bringing up the tunnel

Please advise..

thanks!!!

0 Helpful

Yudong Wu
Level 7
Level 7
In response to c0ldshadow

‎09-28-2009 03:15 PM

Try this

1. enable "debug crypto isa"

2. try to initiate a traffic through VPN

3. Check the syslog and debug output.

4. If you see the packets from VPN peer are dropped by ACL 101 which is applied on outside interface, Change "interface outside" in your ACL to its IP address and try it again.

0 Helpful
Customers Also Viewed These Support Documents