Deny IP due to Land Attack

Unanswered Question
Jun 17th, 2010

Hi all!

I don't know if this is a basic issues / knowledge, but I'm kinda confused about it.

I have a ASA 5520 configured with a inside and outside and dmz interface. I have several public IP in use for webservers and stuff.

The case is: When I wants to go from webserver1 to webserver2 on http, I just gets an error. The servers has unique public IP's. This goes for both the URL and the IP.

It is possible to reach the public IP's / URL to both of the servers on http from the outside. These are operating webservers hosting sites.

By the way, the ACL allows all this kind of traffic. I gets no blocking in the firewall monitor.

When I try to reach the URL hosted on the webserver1 from itself, this message in the firewall monitor:

Deny IP due to Land Attack from 213.x.x.10 to 213.x.x.10

Any ideas why I can't reach the servers itself on the public / URL and why the servers can't reach each other.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
brunstadnett Thu, 06/17/2010 - 04:59

Yes I'm using URL to browse. The URL will not be resolved to IP when I'm pinging from webserver1 to 2:

"Ping request could not find host website.com. Please check the name and try again."

When I telnet the webserver1 from 2 at the public IP and tcp/80 it just times out. It seams we have 2 problems here. The missing DNS response, and the webservers can't reach itself or the other webserver.

It is important to remember, that from a client in another dmz (public IP: 213.x.x.30) I have no problems reaching the webserver on 213.x.x.10.

Could it be, that the webservers is on the same dmz?

Yes I'm using URL to browse. The URL will not be resolved to IP when I'm pinging from webserver1 to 2:

"Ping request could not find host website.com. Please check the name and try again." - which DNS server are you using?

When I telnet the webserver1 from 2 at the public IP and tcp/80 it just times out. It seams we have 2 problems here. The missing DNS response, and the webservers can't reach itself or the other webserver. - can you telnet to server 2 from server 1 using just the DMZ IP address?

It is important to remember, that from a client in another dmz (public IP: 213.x.x.30) I have no problems reaching the webserver on 213.x.x.10.

Could it be, that the webservers is on the same dmz? - It would suggest that is the case.

brunstadnett Thu, 06/17/2010 - 05:18

Yes I'm using URL to browse. The URL will not be resolved to IP when I'm pinging from webserver1 to 2:

"Ping request could not find host website.com. Please check the name and try again."

which DNS server are you using?

I'm using a internal server, it's on another DMZ, but works fine eg. when querying google.com.

When I telnet the webserver1 from 2 at the public IP and tcp/80 it just times out. It seams we have 2 problems here. The missing DNS response, and the webservers can't reach itself or the other webserver. - can you telnet to server 2 from server 1 using just the DMZ IP address?

Yes.

It is important to remember, that from a client in another dmz (public IP: 213.x.x.30) I have no problems reaching the webserver on 213.x.x.10.

Could it be, that the webservers is on the same dmz? - It would suggest that is the case.

Bravo, I thought too. But why would it matter? It's this problem I need a solution for.

brunstadnett Thu, 06/17/2010 - 05:31

If you can telnet using IP addresses - then your issue is DNS

I can't telnet on the public ip - only on the local.

It leads me to say, that the DNS doctoring is not necessary at this level, because we're fault seeking on the IP-layer and not the DNS.

See the link for screenshot of a packet trace I did. I've used the 2 webservers public IP's in this scenario,

http://www.postimage.org/image.php?v=aVGfKQJ

When I use the local IP on source and public on destination, it works fine in the trace, but when I looks deeper in the NAT segment, I see, that it is the same public IP it goes out and in with. So suddenly the destination is not the webserver2 but itself webserver1.

http://www.postimage.org/image.php?v=Pql9L0

brunstadnett Thu, 06/17/2010 - 23:47

I want to fix the problem the heading of this post describes. Back to basics:

I can't telnet on the public ip - only on the local. From server1 to 2

Both servers are as told NAT-et to a unique public IP.

Why can't I reach the server itself on the public IP?

Kureli Sankar Fri, 06/18/2010 - 01:24

It is not a good idea to try to access the webservers using their public address from the DMZ segment or from the INSIDE segment. We can do some hack and make this work but, this is not recommended. Pls. use only the private address when accessing the DMZ server from within the DMZ segment or from the INSIDE segment.  Public addresses are only to be used from the OUTSIDE world.

-KS

brunstadnett Fri, 06/18/2010 - 01:41

Could you give a description of why this is not common to access the webserver on its public IP from Inside and inside its own DMZ?

It's because server1 needs to access a lot of websites to manage a login system. The system works by URL, and all the URL is defined in the login system. Server1 has its primary DNS Servers as an internal server which has all the URLs defined with their public addresses.

Actions

This Discussion