Can a "NAT U-Turn" configuration on ASA be a cause of a "Land Attack" syslog message?

armartirosyan · ‎06-14-2014

Can this configuration on ASA be a cause of a "%ASA-2-106017: Deny IP due to Land Attack from 17.18.19.20 to 17.18.19.20" syslog message.

interface Ethernet0/0

nameif outside

security-level 0

ip address 17.18.19.101 255.255.255.128 standby 17.18.19.102

!

interface Ethernet0/1

duplex full

nameif inside

security-level 100

ip address 172.16.20.1 255.255.255.0 standby 172.16.20.2

!

object network users_VPN_net

subnet 192.168.20.0 255.255.255.0

!

object network users_VPN_net

nat (outside,outside) dynamic 17.18.19.20

As an additional information I can say that we see this syslog messages only during business days from Monday to Friday starting at 08:00 am and ending at 06:00pm.

Thank you

Rahul Kumar Mishra · ‎06-16-2014

Have you enabled "same-security-traffic permit intra-interface"??

armartirosyan · ‎06-20-2014

Yes Rahul both intra and inter traffic are enabled.

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

Connectivity wise we don't have any issues, just this log message that is constantly coming into our syslog server.

"%ASA-2-106017: Deny IP due to Land Attack from 17.18.19.20 to 17.18.19.20"

Rahul Kumar Mishra · ‎06-23-2014

Can you post the output of following command-

packet-tracert input outside tcp 192.168.20.10 2000 1.1.1.1 80 detail

I guess there is some misconfiguration in NAT because land attack means if the source and destination of IP packet is same. Are vpn users trying to access IP 17.18.19.20?