Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

%ASA-4-106023

Hi all,

I have one constant syslog message in my ASA 5520, everyday i have this message:

%ASA-4-106023: Deny Deny icmp src DMZ:X dst INTERNA: Y

But the source is a Public Ip X sending to  Y a Private ip in my network. my DMZ have access to the internet .The destinations are the same everyday. this privates ips belong to computers, ups and printers.

why the public ip´s are  sending ICMP request to this devices on my internal network?

Regards.

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

%ASA-4-106023

All of these addresses are registered to telecommunications companies in Russia, Georgia, Spain, Portugal, and S. Korea. (I had listed some more specific information but for some reason the forum software refused to accept it)

If you want to know more I would set up some ACLs and run a packet capture to see what ports the internal addresses are trying to connect to.

New Member

%ASA-4-106023

Actually, the ICMP time-exceeded and destination unreachable messages will not come from the final destination of the packet that caused them.  They will come from some intermediate router, which helps explain why all the source addresses in your messages are registered to telecoms.  So to capture this traffic, you need to focus on the source addresses.

Create an access list to identify the traffic you want to capture.  Something like

access-list cap1 permit ip host 192.168.99.2 any

access-list cap1 permit ip host 192.168.102.10 any

.... etc.

then set up a capture on your DMZ interface

capture x access-list cap1 interface DMZ

You might want to make the capture buffer circular and possibly increase the buffer size.  I don't know how much traffic you are dealing with.  You can puzzle that out on the command line with ?, or the full syntax is of course  in the command ref:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/c1.html#wp2129312

You can view the capture directly on the appliance with show commands... and I seem to recall that there is some way to do it with a browser too.  But I usually copy the captured traffic to somewhere I can get at it with wireshark:

capture /pcap capture:cap1 tftp://......

11 REPLIES
New Member

%ASA-4-106023

But the message indicates that the ICMP traffic is coming from your DMZ interface.  Do you also have an outside interface?

New Member

%ASA-4-106023

Thank for asnwering Jedavis

Yes i have a Outside interface is directed connect to other branch´s for the network.

The DMZ it´s conect to another Firewall watchguard, and the watchguard to the WAN. it´s complicated but it´s a network for one of our customers.

btw i see in the ICMP message that (type 3) (Type 11),  i read for this and it´s for Destination Unreachable  and Time Exceeded. Could be that my private ips are making a query to those IP's public and the Access List  of the  ASA deny the reply for this ICMP message request. ?

Regards

New Member

%ASA-4-106023

Yes, it sounds like you have an internal client that is generating some traffic to addresses that don't exist.

New Member

%ASA-4-106023

These are the ip's that may be generating traffic.

192.168.99.20 ups liberti  15 kva

192.168.102.10 Printer

192.168.111.11,192.168.111.12 (2 PC´s )

It´s posible that the  2 computers generating this traffic, but the printer and the  ups, how they can generate that traffic.

What do you recomend me ?

i´m going to scan with a antivirus and spyware those two computer,but the other 2  the printer and UPS.

Regards.

New Member

%ASA-4-106023

I don't know that I would worry too much about it.  Is the destination address the same for all 4 internal IPs or is it different?  What are the addresses they are trying to get to?

New Member

%ASA-4-106023

Diferents sources ip  like:

%ASA-4-106023: Deny icmp src DMZ:178.134.240.2 dst INTERNA:192.168.111.12 (type 11, code 0)

%ASA-4-106023: Deny icmp src DMZ:77.37.254.198 dst INTERNA:192.168.111.12 (type 11, code 0)

%ASA-4-106023: Deny icmp src DMZ:212.106.216.218 dst INTERNA:192.168.111.12 (type 11, code 0)

%ASA-4-106023: Deny icmp src DMZ:195.8.10.206 dst INTERNA:192.168.111.12 (type 11, code 0)

%ASA-4-106023: Deny icmp src DMZ:112.174.81.21 dst INTERNA:192.168.111.11 (type 11, code 0)

%ASA-4-106023: Deny icmp src DMZ:195.144.193.102 dst INTERNA:192.168.111.11 (type 11, code 0)

%ASA-4-106023: Deny icmp src DMZ:78.110.144.136 dst INTERNA:192.168.111.11 (type 0, code 0)

All of this icmp message deny by access-group DMZ-IN [0x0, 0x0].

regards.

New Member

%ASA-4-106023

All of these addresses are registered to telecommunications companies in Russia, Georgia, Spain, Portugal, and S. Korea. (I had listed some more specific information but for some reason the forum software refused to accept it)

If you want to know more I would set up some ACLs and run a packet capture to see what ports the internal addresses are trying to connect to.

New Member

%ASA-4-106023

I agree, in what way i could make the packet capture?,  Sorry if i don´t know .. Thanks  For all !

New Member

%ASA-4-106023

Actually, the ICMP time-exceeded and destination unreachable messages will not come from the final destination of the packet that caused them.  They will come from some intermediate router, which helps explain why all the source addresses in your messages are registered to telecoms.  So to capture this traffic, you need to focus on the source addresses.

Create an access list to identify the traffic you want to capture.  Something like

access-list cap1 permit ip host 192.168.99.2 any

access-list cap1 permit ip host 192.168.102.10 any

.... etc.

then set up a capture on your DMZ interface

capture x access-list cap1 interface DMZ

You might want to make the capture buffer circular and possibly increase the buffer size.  I don't know how much traffic you are dealing with.  You can puzzle that out on the command line with ?, or the full syntax is of course  in the command ref:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/c1.html#wp2129312

You can view the capture directly on the appliance with show commands... and I seem to recall that there is some way to do it with a browser too.  But I usually copy the captured traffic to somewhere I can get at it with wireshark:

capture /pcap capture:cap1 tftp://......

New Member

%ASA-4-106023

Hi jedavis

When i want to open the firts link and the second i can´t open. when i try to open the first link the page send This message  "Forbidden File or Application", and the second when i try to open the windows doesn´t  show anything.

regards.

New Member

%ASA-4-106023

The first link works for me.  It points to the description of the capture command in the Cisco ASA 5500 Series Command Reference, 8.2.  You need to be logged into CCO to get to it.  Here is a link to the same info that doesn't require a login:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312

The second link was not even supposed to be a link, it appears the forum software converted it to one.

I did just notice that my example is a little misleading, in that in the capture command I named the capture "x" and in the copy command I used the name "cap1".  The correct copy command in the example would be:

capture /pcap capture:x <destination url>

4358
Views
0
Helpful
11
Replies