Link to home
Start Free TrialLog in
Avatar of dholbanga
dholbanga

asked on

Deny inbound UDP

Hello

Does anyone know what this log means?

<162>Dec 18 2008 12:40:21 asafw : %ASA-2-106006: Deny inbound UDP from 172.16.1.1/2675 to 192.168.255.1/4419 on interface inside

I checked on Cisco's Web site section for Syslog message and got this info but it doesn't give me much feedback:

106006

Error Message    %ASA-2-106006: Deny inbound UDP from outside_address/outside_port to
inside_address/inside_port on interface interface_name.

Explanation    This is a connection-related message. This message is displayed if an inbound UDP packet is denied by the security policy that is defined by the specified traffic type.

Recommended Action    None required.

Any help you can provide will be grateful!

D
SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dholbanga
dholbanga

ASKER

The subnet 192.168.255.0 does not exist on our network.  So does that mean that the host 172.16.1.1 is running a scanner on our network looking to place an attack of some sort?
SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dholbanga
dholbanga

ASKER

But I do wonder if the user is doing anything to scan the network and plan any unnecessary attacks.  That's all.  I see a lot of these attempts each day.  Same with land attacks.  

Are land attacks something to worry about?  I get these messages daily:

unknown   172.58.1.99   unknown   09 Feb 2009, 07:03:04   %asa-2-106017: deny ip due to land attack from 172.58.1.99 to 172.58.1.199  
SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dholbanga
dholbanga

ASKER

So that means there is a potential insider who is trying to do an attack?  Or would it be a device?  It's hard to say when you get a MAC address and cannot find it.  What do you suggest I do?  Do captures on the network to find the culprit/source?
SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dholbanga
dholbanga

ASKER

A capture would provide the MAC address though.  We don't have any IP phones in our environment.  What is the best way to find the source?  What do you suggest?
SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dholbanga
dholbanga

ASKER

The firewall is at the edge of the network but it is not the gateway.  We have 2 switches running HSRP before the firewall.
SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dholbanga
dholbanga

ASKER

Thanks.  I did a "sh arp" on the firewall and the two core switches and could not find that IP address.  Maybe this is a spoofed IP that's why it's not showing up?  The last connection happened at 7:23 AM this morning and I know the ARP is not clearing out 100% because I see old IP addresses in here that have not been used in over a month.
SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dholbanga
dholbanga

ASKER

Yes this is what I was looking for and it does not appear in the arp cache in either of the three places: firewall, core switch 1 and core switch 2.  Now I'm confused
SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dholbanga
dholbanga

ASKER

Once I find the MAC address... Is there an easy way to locate a device on a network with thousands of network connections?  Or is there a way to block the MAC address out of the network from the firewall?
SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dholbanga
dholbanga

ASKER

That is really good advice!  But what's the command to block our a MAC address from the ASA firewall?  If there is such a command.
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial