Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny IP due to Land Attack

Hi all!

I don't know if this is a basic issues / knowledge, but I'm kinda confused about it.

I have a ASA 5520 configured with a inside and outside and dmz interface. I have several public IP in use for webservers and stuff.

The case is: When I wants to go from webserver1 to webserver2 on http, I just gets an error. The servers has unique public IP's. This goes for both the URL and the IP.

It is possible to reach the public IP's / URL to both of the servers on http from the outside. These are operating webservers hosting sites.

By the way, the ACL allows all this kind of traffic. I gets no blocking in the firewall monitor.

When I try to reach the URL hosted on the webserver1 from itself, this message in the firewall monitor:

Deny IP due to Land Attack from 213.x.x.10 to 213.x.x.10

Any ideas why I can't reach the servers itself on the public / URL and why the servers can't reach each other.

12 REPLIES

Re: Deny IP due to Land Attack

You need to configure DNS doctoring, this will translate the external IP address to the internal IP address, in DNS resolution.  I presume when you try to browse from webserver1 to webserver2 - you are using a URL?

DNS Doctoring is disabled by default.

New Member

Re: Deny IP due to Land Attack

Yes I'm using URL to browse. The URL will not be resolved to IP when I'm pinging from webserver1 to 2:

"Ping request could not find host website.com. Please check the name and try again."

When I telnet the webserver1 from 2 at the public IP and tcp/80 it just times out. It seams we have 2 problems here. The missing DNS response, and the webservers can't reach itself or the other webserver.

It is important to remember, that from a client in another dmz (public IP: 213.x.x.30) I have no problems reaching the webserver on 213.x.x.10.

Could it be, that the webservers is on the same dmz?

Re: Deny IP due to Land Attack

Yes I'm using URL to browse. The URL will not be resolved to IP when I'm pinging from webserver1 to 2:

"Ping request could not find host website.com. Please check the name and try again." - which DNS server are you using?

When I telnet the webserver1 from 2 at the public IP and tcp/80 it just times out. It seams we have 2 problems here. The missing DNS response, and the webservers can't reach itself or the other webserver. - can you telnet to server 2 from server 1 using just the DMZ IP address?

It is important to remember, that from a client in another dmz (public IP: 213.x.x.30) I have no problems reaching the webserver on 213.x.x.10.

Could it be, that the webservers is on the same dmz? - It would suggest that is the case.

New Member

Re: Deny IP due to Land Attack

Yes I'm using URL to browse. The URL will not be resolved to IP when I'm pinging from webserver1 to 2:

"Ping request could not find host website.com. Please check the name and try again."

which DNS server are you using?

I'm using a internal server, it's on another DMZ, but works fine eg. when querying google.com.

When I telnet the webserver1 from 2 at the public IP and tcp/80 it just times out. It seams we have 2 problems here. The missing DNS response, and the webservers can't reach itself or the other webserver. - can you telnet to server 2 from server 1 using just the DMZ IP address?

Yes.

It is important to remember, that from a client in another dmz (public IP: 213.x.x.30) I have no problems reaching the webserver on 213.x.x.10.

Could it be, that the webservers is on the same dmz? - It would suggest that is the case.

Bravo, I thought too. But why would it matter? It's this problem I need a solution for.

Re: Deny IP due to Land Attack

Check that your DNS server has an A Record for the servers you are working on.

If you can telnet using IP addresses - then your issue is DNS

Check you static NAT or Dynamic NAT configuration - ensure that you have the "DNS" key word at the end of the config line for the webservers.

HTH>

New Member

Re: Deny IP due to Land Attack

If you can telnet using IP addresses - then your issue is DNS

I can't telnet on the public ip - only on the local.

It leads me to say, that the DNS doctoring is not necessary at this level, because we're fault seeking on the IP-layer and not the DNS.

See the link for screenshot of a packet trace I did. I've used the 2 webservers public IP's in this scenario,

http://www.postimage.org/image.php?v=aVGfKQJ

When I use the local IP on source and public on destination, it works fine in the trace, but when I looks deeper in the NAT segment, I see, that it is the same public IP it goes out and in with. So suddenly the destination is not the webserver2 but itself webserver1.

http://www.postimage.org/image.php?v=Pql9L0

Re: Deny IP due to Land Attack

I am confused - what issue do you want to fix?

New Member

Re: Deny IP due to Land Attack

I want to fix the problem the heading of this post describes. Back to basics:

I can't telnet on the public ip - only on the local. From server1 to 2

Both servers are as told NAT-et to a unique public IP.

Why can't I reach the server itself on the public IP?

Cisco Employee

Re: Deny IP due to Land Attack

It is not a good idea to try to access the webservers using their public address from the DMZ segment or from the INSIDE segment. We can do some hack and make this work but, this is not recommended. Pls. use only the private address when accessing the DMZ server from within the DMZ segment or from the INSIDE segment.  Public addresses are only to be used from the OUTSIDE world.

-KS

New Member

Re: Deny IP due to Land Attack

Could you give a description of why this is not common to access the webserver on its public IP from Inside and inside its own DMZ?

It's because server1 needs to access a lot of websites to manage a login system. The system works by URL, and all the URL is defined in the login system. Server1 has its primary DNS Servers as an internal server which has all the URLs defined with their public addresses.

Re: Deny IP due to Land Attack

Being able to telnet to the servers is not important.

Read the below link:-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Re: Deny IP due to Land Attack

7610
Views
0
Helpful
12
Replies