06-24-2010 06:11 AM - edited 03-11-2019 11:03 AM
In my Syslog I keep seeing this critical message "Deny IP due to Land Attack from X.X.X.X to X.X.X.X." Should I be concerned? Other than filtering it in Syslog, is there any other measures I can to get rid of that? Thanks
Solved! Go to Solution.
06-24-2010 06:25 AM
Thomas,
So those messages do not directly indicate a problem, but may still be worth investigating. Is the IP address referenced in the syslog message one of your global address in a 'global' or 'static' config line? If so, it very well may be that a host on the inside is trying to communicate to its own external address:
nat (inside) 1 10.0.0.0 255.0.0.0
global (outside) 1 1.2.3.4
If a host on the inside tries to connect to 1.2.3.4, the packet as it leaves the firewall would look like it is coming from/going to 1.2.3.4 (which would be a land attack).
One way you can track this would be to setup a capture on the inside interface for this traffic:
8.0.4 code and later:
cap inside interfcae inside match ip any host 1.2.3.4
Earlier code:
access-list cap-list permit ip any host 1.2.3.4
cap inside interface inside access-list cap-list
When you see the error pop-up look at the captures:
show capture inside
I hope this helps. If this resolves your issue, please mark this question as resolved.
-Magnus
06-24-2010 06:25 AM
Thomas,
So those messages do not directly indicate a problem, but may still be worth investigating. Is the IP address referenced in the syslog message one of your global address in a 'global' or 'static' config line? If so, it very well may be that a host on the inside is trying to communicate to its own external address:
nat (inside) 1 10.0.0.0 255.0.0.0
global (outside) 1 1.2.3.4
If a host on the inside tries to connect to 1.2.3.4, the packet as it leaves the firewall would look like it is coming from/going to 1.2.3.4 (which would be a land attack).
One way you can track this would be to setup a capture on the inside interface for this traffic:
8.0.4 code and later:
cap inside interfcae inside match ip any host 1.2.3.4
Earlier code:
access-list cap-list permit ip any host 1.2.3.4
cap inside interface inside access-list cap-list
When you see the error pop-up look at the captures:
show capture inside
I hope this helps. If this resolves your issue, please mark this question as resolved.
-Magnus
06-24-2010 06:31 AM
I just checked the Syslog again and both source and destination IP addresses are public IP's.
06-24-2010 06:34 AM
Thomas,
Are the public IPs ones that you have host translating to?
-M
06-25-2010 05:38 AM
Yes they are.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: