Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Possible VPN-related Attack on ASA?

I have an ASA 5505 firewall that is doing one site to site VPN.

I saw some weird stuff in the logs regarding an IP address not associated with the VPN on either side:

4 Sep 27 2009 19:19:45 713903 IP = 71.201.76.x, Header invalid, missing SA payload! (next payload = 133)

3 Sep 27 2009 19:19:45 713048 IP = 71.201.76.x, Error processing payload: Payload ID: 1

3 Sep 27 2009 19:19:45 713902 IP = 71.201.76.x, Removing peer from peer table failed, no match!

4 Sep 27 2009 19:19:45 713903 IP = 71.201.76.x, Error: Unable to remove PeerTblEntry

Is this some type of attack? If so, could this be stopped with an ACL regarding the specific host allowed to hit port 500 UDP (isakmp ) on the outside interface?

for example

access-list 103 permit udp host TheOnlyVPNPeerAllowed interface outside eq 500 log ?

Please advise.

Thanks for any help!

3 REPLIES

Re: Possible VPN-related Attack on ASA?

Not sure if it is a attack. If you see a lots of those message, it could be.

If you would like to use ACL to lock down your VPN session, you need:

1. no sysopt connection permit-vpn

2. Add the related ACL entry to permit IKE, ESP and the traffic between site-2-site.

Please refer to command reference

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155

New Member

Re: Possible VPN-related Attack on ASA?

hi kwu2

i suspected it was an attack because i know nothing about the ip address in the logs

i added the no sysopt conn permit-vpn command, and this to the bottom of my ACL:

access-list 101 line 8 extended permit udp host ThePublicIPofPEER interface outside eq isakmp log informational interval 300 (hitcnt=0)

access-list 101 line 9 extended permit esp host ThePublicIPofPEER interface outside log informational interval 300 (hitcnt=0)

access-list 101 line 10 extended permit udp host ThePublicIPofPEER interface outside eq 4500 log informational interval 300 (hitcnt=0)

however now i can't communicate to the remote LAN. what do i need to change?

also, i noticed that the ACL did not get any hitcnts when bringing up the tunnel

Please advise..

thanks!!!

Re: Possible VPN-related Attack on ASA?

Try this

1. enable "debug crypto isa"

2. try to initiate a traffic through VPN

3. Check the syslog and debug output.

4. If you see the packets from VPN peer are dropped by ACL 101 which is applied on outside interface, Change "interface outside" in your ACL to its IP address and try it again.

151
Views
0
Helpful
3
Replies
CreatePlease to create content