Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Can a "NAT U-Turn" configuration on ASA be a cause of a "Land Attack" syslog message?

Can this configuration on ASA be a cause of a "%ASA-2-106017: Deny IP due to Land Attack from 17.18.19.20 to 17.18.19.20" syslog message. 

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 17.18.19.101 255.255.255.128 standby 17.18.19.102

interface Ethernet0/1

 duplex full  

 nameif inside

 security-level 100

 ip address 172.16.20.1 255.255.255.0 standby 172.16.20.2 

!             

 object network users_VPN_net

 subnet 192.168.20.0 255.255.255.0

object network users_VPN_net

nat (outside,outside) dynamic 17.18.19.20

As an additional information I can say that we see this syslog messages only during business days from Monday to Friday starting at 08:00 am and ending at 06:00pm.  

Thank you 

Everyone's tags (1)
3 REPLIES
Community Member

Have you enabled "same

Have you enabled "same-security-traffic permit intra-interface"??

Community Member

Yes Rahul  both intra and

Yes Rahul  both intra and inter traffic are enabled.

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

Connectivity wise we don't have any issues, just this log message that is constantly coming into our syslog server. 

"%ASA-2-106017: Deny IP due to Land Attack from 17.18.19.20 to 17.18.19.20"

Community Member

Can you post the output of

Can you post the output of following command-

 

packet-tracert input outside tcp 192.168.20.10 2000 1.1.1.1 80 detail

 

I guess there is some misconfiguration in NAT because land attack means if the source and destination of IP packet is same. Are vpn users trying to access IP 17.18.19.20?

335
Views
0
Helpful
3
Replies
CreatePlease to create content