Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Can a "NAT U-Turn" configuration on ASA be a cause of a "Land Attack" syslog message?

Can this configuration on ASA be a cause of a "%ASA-2-106017: Deny IP due to Land Attack from to" syslog message. 

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address standby

interface Ethernet0/1

 duplex full  

 nameif inside

 security-level 100

 ip address standby 


 object network users_VPN_net


object network users_VPN_net

nat (outside,outside) dynamic

As an additional information I can say that we see this syslog messages only during business days from Monday to Friday starting at 08:00 am and ending at 06:00pm.  

Thank you 

Everyone's tags (1)
Community Member

Have you enabled "same

Have you enabled "same-security-traffic permit intra-interface"??

Community Member

Yes Rahul  both intra and

Yes Rahul  both intra and inter traffic are enabled.


same-security-traffic permit inter-interface

same-security-traffic permit intra-interface


Connectivity wise we don't have any issues, just this log message that is constantly coming into our syslog server. 

"%ASA-2-106017: Deny IP due to Land Attack from to"

Community Member

Can you post the output of

Can you post the output of following command-


packet-tracert input outside tcp 2000 80 detail


I guess there is some misconfiguration in NAT because land attack means if the source and destination of IP packet is same. Are vpn users trying to access IP

CreatePlease to create content