Critical Messages - shall I ignore them?

Unanswered Question
Feb 23rd, 2010
User Badges:

Now that I have the ASA5505 up and running, the log buffer is filling up with critical level 2 messages, such as below:


2|Feb 23 2010|09:43:14|106001|207.46.236.175|173.8.218.60|Inbound TCP connection denied from 207.46.236.175/80 to 173.8.218.60/1719 flags PSH ACK  on interface outside
2|Feb 23 2010|09:30:34|106001|208.80.152.3|173.8.218.60|Inbound TCP connection denied from 208.80.152.3/80 to 173.8.218.60/1571 flags SYN ACK  on interface outside
2|Feb 23 2010|09:29:51|106001|65.54.95.161|173.8.218.60|Inbound TCP connection denied from 65.54.95.161/80 to 173.8.218.60/1586 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:51|106001|65.54.95.161|173.8.218.60|Inbound TCP connection denied from 65.54.95.161/80 to 173.8.218.60/1586 flags ACK  on interface outside
2|Feb 23 2010|09:29:50|106001|38.113.115.195|173.8.218.60|Inbound TCP connection denied from 38.113.115.195/80 to 173.8.218.60/1597 flags ACK  on interface outside
2|Feb 23 2010|09:29:50|106001|38.113.115.195|173.8.218.60|Inbound TCP connection denied from 38.113.115.195/80 to 173.8.218.60/1596 flags ACK  on interface outside
2|Feb 23 2010|09:29:50|106001|38.113.115.195|173.8.218.60|Inbound TCP connection denied from 38.113.115.195/80 to 173.8.218.60/1595 flags ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1579 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1579 flags ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1578 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1578 flags ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1577 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1577 flags ACK  on interface outside


I did find out that 196.30.168.79 is from South Africa (if we believe that the IP inside the packet is unaltered and correct)


Shall I ignore these types of messages, or are they suggesting that I need more security policies in the "outside" interface VLAN 1?


I don't know whether to wring my hands or pat the ASA5505 on the back.


Any security gurus with some suggestions?


Randall

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 02/25/2010 - 08:29
User Badges:
  • Green, 3000 points or more

Hi,


All seems to be connections inbound connections coming from port 80. This could be web servers responses to requests from the inside.

Do you see doing a ''sh loc internal_IP''  to see if the connections are valid web connections initiated from the inside the ASA?


Federico.

Actions

This Discussion