Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
5
Helpful
4
Replies

Syslog Message...

Go to solution
Thomas_2004
Level 1
Level 1

‎06-24-2010 06:11 AM - edited ‎03-11-2019 11:03 AM

In my Syslog I keep seeing this critical message "Deny IP due to Land Attack from X.X.X.X to X.X.X.X." Should I be concerned? Other than filtering it in Syslog, is there any other measures I can to get rid of that? Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Magnus Mortensen
Cisco Employee
Cisco Employee

‎06-24-2010 06:25 AM

Thomas,

     So those messages do not directly indicate a problem, but may still be worth investigating. Is the IP address referenced in the syslog message one of your global address in a 'global' or 'static' config line? If so, it very well may be that a host on the inside is trying to communicate to its own external address:

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 1.2.3.4

If a host on the inside tries to connect to 1.2.3.4, the packet as it leaves the firewall would look like it is coming from/going to 1.2.3.4 (which would be a land attack).

One way you can track this would be to setup a capture on the inside interface for this traffic:

8.0.4 code and later:

cap inside interfcae inside match ip any host 1.2.3.4

Earlier code:

access-list cap-list permit ip any host 1.2.3.4

cap inside interface inside access-list cap-list

When you see the error pop-up look at the captures:

show capture inside

I hope this helps. If this resolves your issue, please mark this question as resolved.

-Magnus

View solution in original post

4 Replies 4

Go to solution
Magnus Mortensen
Cisco Employee
Cisco Employee

‎06-24-2010 06:25 AM

Thomas,

     So those messages do not directly indicate a problem, but may still be worth investigating. Is the IP address referenced in the syslog message one of your global address in a 'global' or 'static' config line? If so, it very well may be that a host on the inside is trying to communicate to its own external address:

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 1.2.3.4

If a host on the inside tries to connect to 1.2.3.4, the packet as it leaves the firewall would look like it is coming from/going to 1.2.3.4 (which would be a land attack).

One way you can track this would be to setup a capture on the inside interface for this traffic:

8.0.4 code and later:

cap inside interfcae inside match ip any host 1.2.3.4

Earlier code:

access-list cap-list permit ip any host 1.2.3.4

cap inside interface inside access-list cap-list

When you see the error pop-up look at the captures:

show capture inside

I hope this helps. If this resolves your issue, please mark this question as resolved.

-Magnus

Go to solution
Thomas_2004
Level 1
Level 1
In response to Magnus Mortensen

‎06-24-2010 06:31 AM

I just checked the Syslog again and both source and destination IP addresses are public IP's.

0 Helpful

Go to solution
Magnus Mortensen
Cisco Employee
Cisco Employee
In response to Thomas_2004

‎06-24-2010 06:34 AM

Thomas,

     Are the public IPs ones that you have host translating to?

-M

0 Helpful

Go to solution
Thomas_2004
Level 1
Level 1
In response to Magnus Mortensen

‎06-25-2010 05:38 AM

Yes they are.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card