09-27-2009 10:09 PM
I have an ASA 5505 firewall that is doing one site to site VPN.
I saw some weird stuff in the logs regarding an IP address not associated with the VPN on either side:
4 Sep 27 2009 19:19:45 713903 IP = 71.201.76.x, Header invalid, missing SA payload! (next payload = 133)
3 Sep 27 2009 19:19:45 713048 IP = 71.201.76.x, Error processing payload: Payload ID: 1
3 Sep 27 2009 19:19:45 713902 IP = 71.201.76.x, Removing peer from peer table failed, no match!
4 Sep 27 2009 19:19:45 713903 IP = 71.201.76.x, Error: Unable to remove PeerTblEntry
Is this some type of attack? If so, could this be stopped with an ACL regarding the specific host allowed to hit port 500 UDP (isakmp ) on the outside interface?
for example
access-list 103 permit udp host TheOnlyVPNPeerAllowed interface outside eq 500 log ?
Please advise.
Thanks for any help!
09-27-2009 10:26 PM
Not sure if it is a attack. If you see a lots of those message, it could be.
If you would like to use ACL to lock down your VPN session, you need:
1. no sysopt connection permit-vpn
2. Add the related ACL entry to permit IKE, ESP and the traffic between site-2-site.
Please refer to command reference
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155
09-28-2009 02:40 PM
hi kwu2
i suspected it was an attack because i know nothing about the ip address in the logs
i added the no sysopt conn permit-vpn command, and this to the bottom of my ACL:
access-list 101 line 8 extended permit udp host ThePublicIPofPEER interface outside eq isakmp log informational interval 300 (hitcnt=0)
access-list 101 line 9 extended permit esp host ThePublicIPofPEER interface outside log informational interval 300 (hitcnt=0)
access-list 101 line 10 extended permit udp host ThePublicIPofPEER interface outside eq 4500 log informational interval 300 (hitcnt=0)
however now i can't communicate to the remote LAN. what do i need to change?
also, i noticed that the ACL did not get any hitcnts when bringing up the tunnel
Please advise..
thanks!!!
09-28-2009 03:15 PM
Try this
1. enable "debug crypto isa"
2. try to initiate a traffic through VPN
3. Check the syslog and debug output.
4. If you see the packets from VPN peer are dropped by ACL 101 which is applied on outside interface, Change "interface outside" in your ACL to its IP address and try it again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide