cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8562
Views
0
Helpful
12
Replies

Deny IP due to Land Attack

brunstadnett
Level 1
Level 1

Hi all!

I don't know if this is a basic issues / knowledge, but I'm kinda confused about it.

I have a ASA 5520 configured with a inside and outside and dmz interface. I have several public IP in use for webservers and stuff.

The case is: When I wants to go from webserver1 to webserver2 on http, I just gets an error. The servers has unique public IP's. This goes for both the URL and the IP.

It is possible to reach the public IP's / URL to both of the servers on http from the outside. These are operating webservers hosting sites.

By the way, the ACL allows all this kind of traffic. I gets no blocking in the firewall monitor.

When I try to reach the URL hosted on the webserver1 from itself, this message in the firewall monitor:

Deny IP due to Land Attack from 213.x.x.10 to 213.x.x.10

Any ideas why I can't reach the servers itself on the public / URL and why the servers can't reach each other.

12 Replies 12

andrew.prince
Level 10
Level 10

You need to configure DNS doctoring, this will translate the external IP address to the internal IP address, in DNS resolution.  I presume when you try to browse from webserver1 to webserver2 - you are using a URL?

DNS Doctoring is disabled by default.

Yes I'm using URL to browse. The URL will not be resolved to IP when I'm pinging from webserver1 to 2:

"Ping request could not find host website.com. Please check the name and try again."

When I telnet the webserver1 from 2 at the public IP and tcp/80 it just times out. It seams we have 2 problems here. The missing DNS response, and the webservers can't reach itself or the other webserver.

It is important to remember, that from a client in another dmz (public IP: 213.x.x.30) I have no problems reaching the webserver on 213.x.x.10.

Could it be, that the webservers is on the same dmz?

Yes I'm using URL to browse. The URL will not be resolved to IP when I'm pinging from webserver1 to 2:

"Ping request could not find host website.com. Please check the name and try again." - which DNS server are you using?

When I telnet the webserver1 from 2 at the public IP and tcp/80 it just times out. It seams we have 2 problems here. The missing DNS response, and the webservers can't reach itself or the other webserver. - can you telnet to server 2 from server 1 using just the DMZ IP address?

It is important to remember, that from a client in another dmz (public IP: 213.x.x.30) I have no problems reaching the webserver on 213.x.x.10.

Could it be, that the webservers is on the same dmz? - It would suggest that is the case.

Yes I'm using URL to browse. The URL will not be resolved to IP when I'm pinging from webserver1 to 2:

"Ping request could not find host website.com. Please check the name and try again."

which DNS server are you using?

I'm using a internal server, it's on another DMZ, but works fine eg. when querying google.com.

When I telnet the webserver1 from 2 at the public IP and tcp/80 it just times out. It seams we have 2 problems here. The missing DNS response, and the webservers can't reach itself or the other webserver. - can you telnet to server 2 from server 1 using just the DMZ IP address?

Yes.

It is important to remember, that from a client in another dmz (public IP: 213.x.x.30) I have no problems reaching the webserver on 213.x.x.10.

Could it be, that the webservers is on the same dmz? - It would suggest that is the case.

Bravo, I thought too. But why would it matter? It's this problem I need a solution for.

Check that your DNS server has an A Record for the servers you are working on.

If you can telnet using IP addresses - then your issue is DNS

Check you static NAT or Dynamic NAT configuration - ensure that you have the "DNS" key word at the end of the config line for the webservers.

HTH>

If you can telnet using IP addresses - then your issue is DNS

I can't telnet on the public ip - only on the local.

It leads me to say, that the DNS doctoring is not necessary at this level, because we're fault seeking on the IP-layer and not the DNS.

See the link for screenshot of a packet trace I did. I've used the 2 webservers public IP's in this scenario,

http://www.postimage.org/image.php?v=aVGfKQJ

When I use the local IP on source and public on destination, it works fine in the trace, but when I looks deeper in the NAT segment, I see, that it is the same public IP it goes out and in with. So suddenly the destination is not the webserver2 but itself webserver1.

http://www.postimage.org/image.php?v=Pql9L0

I am confused - what issue do you want to fix?

I want to fix the problem the heading of this post describes. Back to basics:

I can't telnet on the public ip - only on the local. From server1 to 2

Both servers are as told NAT-et to a unique public IP.

Why can't I reach the server itself on the public IP?

It is not a good idea to try to access the webservers using their public address from the DMZ segment or from the INSIDE segment. We can do some hack and make this work but, this is not recommended. Pls. use only the private address when accessing the DMZ server from within the DMZ segment or from the INSIDE segment.  Public addresses are only to be used from the OUTSIDE world.

-KS

Could you give a description of why this is not common to access the webserver on its public IP from Inside and inside its own DMZ?

It's because server1 needs to access a lot of websites to manage a login system. The system works by URL, and all the URL is defined in the login system. Server1 has its primary DNS Servers as an internal server which has all the URLs defined with their public addresses.

Being able to telnet to the servers is not important.

Read the below link:-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: