Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Critical Messages - shall I ignore them?

Now that I have the ASA5505 up and running, the log buffer is filling up with critical level 2 messages, such as below:

2|Feb 23 2010|09:43:14|106001|207.46.236.175|173.8.218.60|Inbound TCP connection denied from 207.46.236.175/80 to 173.8.218.60/1719 flags PSH ACK  on interface outside
2|Feb 23 2010|09:30:34|106001|208.80.152.3|173.8.218.60|Inbound TCP connection denied from 208.80.152.3/80 to 173.8.218.60/1571 flags SYN ACK  on interface outside
2|Feb 23 2010|09:29:51|106001|65.54.95.161|173.8.218.60|Inbound TCP connection denied from 65.54.95.161/80 to 173.8.218.60/1586 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:51|106001|65.54.95.161|173.8.218.60|Inbound TCP connection denied from 65.54.95.161/80 to 173.8.218.60/1586 flags ACK  on interface outside
2|Feb 23 2010|09:29:50|106001|38.113.115.195|173.8.218.60|Inbound TCP connection denied from 38.113.115.195/80 to 173.8.218.60/1597 flags ACK  on interface outside
2|Feb 23 2010|09:29:50|106001|38.113.115.195|173.8.218.60|Inbound TCP connection denied from 38.113.115.195/80 to 173.8.218.60/1596 flags ACK  on interface outside
2|Feb 23 2010|09:29:50|106001|38.113.115.195|173.8.218.60|Inbound TCP connection denied from 38.113.115.195/80 to 173.8.218.60/1595 flags ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1579 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1579 flags ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1578 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1578 flags ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1577 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1577 flags ACK  on interface outside

I did find out that 196.30.168.79 is from South Africa (if we believe that the IP inside the packet is unaltered and correct)

Shall I ignore these types of messages, or are they suggesting that I need more security policies in the "outside" interface VLAN 1?

I don't know whether to wring my hands or pat the ASA5505 on the back.

Any security gurus with some suggestions?

Randall

1 REPLY

Re: Critical Messages - shall I ignore them?

Hi,

All seems to be connections inbound connections coming from port 80. This could be web servers responses to requests from the inside.

Do you see doing a ''sh loc internal_IP''  to see if the connections are valid web connections initiated from the inside the ASA?

Federico.

540
Views
0
Helpful
1
Replies
CreatePlease to create content