Critical Messages - shall I ignore them?

Unanswered Question
Feb 23rd, 2010

Now that I have the ASA5505 up and running, the log buffer is filling up with critical level 2 messages, such as below:

2|Feb 23 2010|09:43:14|106001|207.46.236.175|173.8.218.60|Inbound TCP connection denied from 207.46.236.175/80 to 173.8.218.60/1719 flags PSH ACK  on interface outside
2|Feb 23 2010|09:30:34|106001|208.80.152.3|173.8.218.60|Inbound TCP connection denied from 208.80.152.3/80 to 173.8.218.60/1571 flags SYN ACK  on interface outside
2|Feb 23 2010|09:29:51|106001|65.54.95.161|173.8.218.60|Inbound TCP connection denied from 65.54.95.161/80 to 173.8.218.60/1586 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:51|106001|65.54.95.161|173.8.218.60|Inbound TCP connection denied from 65.54.95.161/80 to 173.8.218.60/1586 flags ACK  on interface outside
2|Feb 23 2010|09:29:50|106001|38.113.115.195|173.8.218.60|Inbound TCP connection denied from 38.113.115.195/80 to 173.8.218.60/1597 flags ACK  on interface outside
2|Feb 23 2010|09:29:50|106001|38.113.115.195|173.8.218.60|Inbound TCP connection denied from 38.113.115.195/80 to 173.8.218.60/1596 flags ACK  on interface outside
2|Feb 23 2010|09:29:50|106001|38.113.115.195|173.8.218.60|Inbound TCP connection denied from 38.113.115.195/80 to 173.8.218.60/1595 flags ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1579 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1579 flags ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1578 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1578 flags ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1577 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1577 flags ACK  on interface outside

I did find out that 196.30.168.79 is from South Africa (if we believe that the IP inside the packet is unaltered and correct)

Shall I ignore these types of messages, or are they suggesting that I need more security policies in the "outside" interface VLAN 1?

I don't know whether to wring my hands or pat the ASA5505 on the back.

Any security gurus with some suggestions?

Randall

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 02/25/2010 - 08:29

Hi,

All seems to be connections inbound connections coming from port 80. This could be web servers responses to requests from the inside.

Do you see doing a ''sh loc internal_IP''  to see if the connections are valid web connections initiated from the inside the ASA?

Federico.

Actions

This Discussion