Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PAT and land attacks

I am getting land attacks from an ids listening to the outside interface of the pix. Now, this may be a no brainer, but the packets triggering the land attacks match the MAC address of that outside interface. I have no alarms on the PIX however.

Now, I am almost certain that these alarms are caused a session between two hosts using the same PAT (Global) address and different ports. How are connections handled between two patted host on the PIX firewall?


Cisco Employee

Re: PAT and land attacks

A connection between two internal hosts shouldn't even be going through the PIX, so I don't think that's what's going on here. Land attacks use the same source/dest IP address AND port anyway, and the PIX will always use a unique source port for any PAT'd connection, otherwise it wouldn't be able to differentiate between the different sessions.

You're not PAT'ing everything using an IP address that is in use on your outside network, are you? Then, if an internal host tried to connect to that host, and got PAT'd thru the PIX on it's way out, that's the only way I could see that the source and dest IP address end up being the same.

Can you capture a packet with a Sniffer and see what's going on. Check the dest MAC address and see where it's headed.

New Member

Re: PAT and land attacks

Yes, the PATTED address is the global address.

CreatePlease login to create content