Syslog Message...

Answered Question
Jun 24th, 2010
User Badges:

In my Syslog I keep seeing this critical message "Deny IP due to Land Attack from X.X.X.X to X.X.X.X." Should I be concerned? Other than filtering it in Syslog, is there any other measures I can to get rid of that? Thanks

Correct Answer by Magnus Mortensen about 6 years 9 months ago

Thomas,

     So those messages do not directly indicate a problem, but may still be worth investigating. Is the IP address referenced in the syslog message one of your global address in a 'global' or 'static' config line? If so, it very well may be that a host on the inside is trying to communicate to its own external address:


nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 1.2.3.4


If a host on the inside tries to connect to 1.2.3.4, the packet as it leaves the firewall would look like it is coming from/going to 1.2.3.4 (which would be a land attack).


One way you can track this would be to setup a capture on the inside interface for this traffic:


8.0.4 code and later:

cap inside interfcae inside match ip any host 1.2.3.4


Earlier code:

access-list cap-list permit ip any host 1.2.3.4

cap inside interface inside access-list cap-list


When you see the error pop-up look at the captures:


show capture inside


I hope this helps. If this resolves your issue, please mark this question as resolved.


-Magnus

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Magnus Mortensen Thu, 06/24/2010 - 06:25
User Badges:
  • Cisco Employee,

Thomas,

     So those messages do not directly indicate a problem, but may still be worth investigating. Is the IP address referenced in the syslog message one of your global address in a 'global' or 'static' config line? If so, it very well may be that a host on the inside is trying to communicate to its own external address:


nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 1.2.3.4


If a host on the inside tries to connect to 1.2.3.4, the packet as it leaves the firewall would look like it is coming from/going to 1.2.3.4 (which would be a land attack).


One way you can track this would be to setup a capture on the inside interface for this traffic:


8.0.4 code and later:

cap inside interfcae inside match ip any host 1.2.3.4


Earlier code:

access-list cap-list permit ip any host 1.2.3.4

cap inside interface inside access-list cap-list


When you see the error pop-up look at the captures:


show capture inside


I hope this helps. If this resolves your issue, please mark this question as resolved.


-Magnus

Thomas_2004 Thu, 06/24/2010 - 06:31
User Badges:

I just checked the Syslog again and both source and destination IP addresses are public IP's.

Magnus Mortensen Thu, 06/24/2010 - 06:34
User Badges:
  • Cisco Employee,

Thomas,

     Are the public IPs ones that you have host translating to?


-M

Actions

This Discussion