dholbanga
asked on
Deny inbound UDP
Hello
Does anyone know what this log means?
<162>Dec 18 2008 12:40:21 asafw : %ASA-2-106006: Deny inbound UDP from 172.16.1.1/2675 to 192.168.255.1/4419 on interface inside
I checked on Cisco's Web site section for Syslog message and got this info but it doesn't give me much feedback:
106006
Error Message %ASA-2-106006: Deny inbound UDP from outside_address/outside_po rt to
inside_address/inside_port on interface interface_name.
Explanation This is a connection-related message. This message is displayed if an inbound UDP packet is denied by the security policy that is defined by the specified traffic type.
Recommended Action None required.
Any help you can provide will be grateful!
D
Does anyone know what this log means?
<162>Dec 18 2008 12:40:21 asafw : %ASA-2-106006: Deny inbound UDP from 172.16.1.1/2675 to 192.168.255.1/4419 on interface inside
I checked on Cisco's Web site section for Syslog message and got this info but it doesn't give me much feedback:
106006
Error Message %ASA-2-106006: Deny inbound UDP from outside_address/outside_po
inside_address/inside_port
Explanation This is a connection-related message. This message is displayed if an inbound UDP packet is denied by the security policy that is defined by the specified traffic type.
Recommended Action None required.
Any help you can provide will be grateful!
D
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
But I do wonder if the user is doing anything to scan the network and plan any unnecessary attacks. That's all. I see a lot of these attempts each day. Same with land attacks.
Are land attacks something to worry about? I get these messages daily:
unknown 172.58.1.99 unknown 09 Feb 2009, 07:03:04 %asa-2-106017: deny ip due to land attack from 172.58.1.99 to 172.58.1.199
Are land attacks something to worry about? I get these messages daily:
unknown 172.58.1.99 unknown 09 Feb 2009, 07:03:04 %asa-2-106017: deny ip due to land attack from 172.58.1.99 to 172.58.1.199
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So that means there is a potential insider who is trying to do an attack? Or would it be a device? It's hard to say when you get a MAC address and cannot find it. What do you suggest I do? Do captures on the network to find the culprit/source?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
A capture would provide the MAC address though. We don't have any IP phones in our environment. What is the best way to find the source? What do you suggest?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The firewall is at the edge of the network but it is not the gateway. We have 2 switches running HSRP before the firewall.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. I did a "sh arp" on the firewall and the two core switches and could not find that IP address. Maybe this is a spoofed IP that's why it's not showing up? The last connection happened at 7:23 AM this morning and I know the ARP is not clearing out 100% because I see old IP addresses in here that have not been used in over a month.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes this is what I was looking for and it does not appear in the arp cache in either of the three places: firewall, core switch 1 and core switch 2. Now I'm confused
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Once I find the MAC address... Is there an easy way to locate a device on a network with thousands of network connections? Or is there a way to block the MAC address out of the network from the firewall?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That is really good advice! But what's the command to block our a MAC address from the ASA firewall? If there is such a command.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER