03-28-2011 04:07 AM - edited 03-11-2019 01:13 PM
Dear Team,
We are getting continuously log created as below in ASA 5510. I suspect something is going wrong (like system is getting compromised ? )
Note: I have changed the actually public IP to 1.1.1.1 for some security cause.
Log..
Mar 18 21:46:19 124.153.100.44 Mar 18 2011 21:46:22: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1
Mar 18 21:46:19 124.153.100.44 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1
Mar 18 21:46:20 124.153.100.44 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1
Mar 18 21:46:21 124.153.100.44 Mar 18 2011 21:46:24: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1
ASA 5510 config
#static (inside,outside) 1.1.1.1 192.168.1.20 netmask 255.255.255.255
#access-list 101 extended permit tcp any host 1.1.1.1 eq www
#access-list 101 extended permit tcp any host 1.1.1.1 eq https
#access-list 101 extended permit tcp any host 1.1.1.1 eq 3306
#access-list 101 extended permit tcp any host 1.1.1.1 range ftp-data ftp
#access-group 101 in interface outside
Please suggest.
Regards,
Narendra
Solved! Go to Solution.
03-28-2011 05:56 AM
Usually thia log gets generated when traffic goes from inside and the destination is translated ip of that sam source ip. In this case the inside IP that you have on the static nat could be trying to send traffic to the destination IP 1.1.1.1.
It is hard to prove it but you could try setting captures or checking if that inside host if really trying to send traffic to 1.1.1.1.
I hpe this helps.
Sent from Cisco Technical Support iPhone App
03-28-2011 05:56 AM
Usually thia log gets generated when traffic goes from inside and the destination is translated ip of that sam source ip. In this case the inside IP that you have on the static nat could be trying to send traffic to the destination IP 1.1.1.1.
It is hard to prove it but you could try setting captures or checking if that inside host if really trying to send traffic to 1.1.1.1.
I hpe this helps.
Sent from Cisco Technical Support iPhone App
03-28-2011 10:37 PM
Hi Paul Gilbert Arias,
Thx for your update, yes i tryied capturing this Deny IP land attack and found output as below.
CINBLR01-FLTR-FIREWALL-00001# sh capture test | in 1.1.1.1
7: 10:54:19.279419 192.168.1.20.58431 > 1.1.1.1: S 4245224488:4245224488(0) win 5840
9: 10:54:19.434395 192.168.1.20.58421 > 1.1.1.1: S 4219706084:4219706084(0) win 5840
12: 10:54:19.743354 192.168.1.20.58415 > 1.1.1.1: S 4195822356:4195822356(0) win 5840
19: 10:54:20.091380 192.168.1.20.58398 > 1.1.1.1: S 4152154284:4152154284(0) win 5840
29: 10:54:20.675334 192.168.1.20.58433 > 1.1.1.1: S 4255148120:4255148120(0) win 5840
30: 10:54:20.696329 192.168.1.20.58430 > 1.1.1.1: S 4232107974:4232107974(0) win 5840
41: 10:54:21.570206 192.168.1.20.58432 > 1.1.1.1: S 4243239398:4243239398(0) win 5840
67: 10:54:22.115213 192.168.1.20.58399 > 1.1.1.1: S 4154738690:4154738690(0) win 5840
68: 10:54:22.118234 192.168.1.20.58434 > 1.1.1.1: S 4245150624:4245150624(0) win 5840
69: 10:54:22.130196 192.168.1.20.58422 > 1.1.1.1: S 4230741684:4230741684(0) win 5840
70: 10:54:22.322218 192.168.1.20.58423 > 1.1.1.1: S 4222242146:4222242146(0) win 5840
81: 10:54:22.859132 192.168.1.20.58424 > 1.1.1.1: S 4222473306:4222473306(0) win 5840
100: 10:54:23.564179 192.168.1.20.58435 > 1.1.1.1: S 4255863279:4255863279(0) win 5840
102: 10:54:23.675059 192.168.1.20.58433 > 1.1.1.1: S 4255148120:4255148120(0) win 5840
106: 10:54:23.815036 192.168.1.20.58416 > 1.1.1.1: S 4212967913:4212967913(0) win 5840
126: 10:54:25.117974 192.168.1.20.58434 > 1.1.1.1: S 4245150624:4245150624(0) win 5840
127: 10:54:25.145973 192.168.1.20.58428 > 1.1.1.1: S 4223944579:4223944579(0) win 5840
128: 10:54:25.278977 192.168.1.20.58431 > 1.1.1.1: S 4245224488:4245224488(0) win 5840
143: 10:54:26.563828 192.168.1.20.58435 > 1.1.1.1: S 4255863279:4255863279(0) win 5840
144: 10:54:26.864853 192.168.1.20.58436 > 1.1.1.1: S 4252276886:4252276886(0) win 5840
145: 10:54:26.998819 192.168.1.20.58417 > 1.1.1.1: S 4217570846:4217570846(0) win 5840
154: 10:54:27.569748 192.168.1.20.58432 > 1.1.1.1: S 4243239398:4243239398(0) win 5840
174: 10:54:28.849687 192.168.1.20.58429 > 1.1.1.1: S 4233349534:4233349534(0) win 5840
181: 10:54:29.674601 192.168.1.20.58433 > 1.1.1.1: S 4255148120:4255148120(0) win 5840
My only worry is this system getting compromised or got compromise neither inside nor outside..
Regards,
Narendra
03-29-2011 07:49 AM
you applied the captures on the inside, correct?
On those captures you can see that the source is 192.168.1.20 and destination 1.1.1.1. That shows what I was telling you. The inside host 192.168.1.20 is trying to send traffic to it's outside IP and the ASA doesn't allow that. The captures show SYN packets.
Check the inside host to find why it is trying to initiate traffic to it's outside IP
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: