Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1973
  • Last Modified:

PIX 515 Always shows 'Land attack' alarm.

Hi! After natting (pat) the inside network to a single outside ip-address, I lost the ssh connection to the pix-device. After logging in via the console interface I see the continuing syslog alarms about the land attack.

Oct 07 2008 11:14:33: %PIX-2-106017: Deny IP due to Land Attack from x.x.118.12 to x.x.118.12

So, I suppose there aren't any hackers around. Can anyone explain what the hell happening?
Now we have lags on the inside network and no access to pix via ssh, maybe some more problems that I still haven't discovered.

I am including the important part of the config below.

Must say that we use Cisco 3750 as a lan switch (with all the intervlan routing, the default-gateway for all the hosts is 10.x.1.1 of the PIX). After the OUTSIDE interface we got the kind of Cisco 7600 where default gateway is known via bgp and network address used for natting is known via the static route (255.255.255.255).

I have searched the Net about the problem, but the answers to the equal issue are, in most cases, lame.
There goes the partial configuration.
!--------
interface Ethernet0.173
 vlan 666
 nameif OUTSIDE
 security-level 10
 ip address x.x.x.4 255.255.255.240 
 ospf message-digest-key 1 md5 <removed>
 ospf authentication message-digest
!
 
interface Ethernet1.110
 vlan 222
 nameif LAN
 security-level 50
 ip address 10.x.1.1 255.255.255.248 standby 10.x.x.2 
!
 
# the only default gateway
route OUTSIDE 0.0.0.0 0.0.0.0 x.x.x.1 1
 
access-list zzz extended permit ip 10.x.2.0 255.255.255.0 any 
global (OUTSIDE) 5 195.x.x.12
nat (LAN) 5 access-list zzz

Open in new window

0
poletay
Asked:
poletay
  • 5
  • 4
  • 4
  • +1
1 Solution
 
Jay_GridleyCommented:
Hi.

Do you have any idea where the traffic that generates the alarm comes from?
As you have probably already found out "This message appears when PIX Firewall receives a packet with the IP source address equal to the IP destination and the destination port equal to the source port"
(source: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemsgs.htm)
This is the basic design of the PIX and can't be shut off.

I would go about finding out where this message is coming from and why the pix thinks it is an attack.
The problem would occur for example if you host a website on your inside network and try to access it from your inside network through the outside IP address of the pix.
You might need to find a work around for the situation or maybe the service causing trouble is no longer required and can be shut off.

Good luck in your efforts.

JG
0
 
harbor235Commented:


Did you try to ssh to yourself? You most likey have a shun in your config now blocking all traffic to x.x.118.12. Do a sh shun, from a console connection to see if the firewall is blocking that IP.

harbor235 ;}

0
 
poletayAuthor Commented:
Hello everybody and thanks for the comments! We have a bypassing rule. I am attaching the config part with that. Do you think there is a host with an exclusive address (not included in the acl) that tries to communicate with some usual member of the (LAN) interface? I might try to discover if anybody is using secondary ip address.
'#show shun' returns nothing...
access-list BYPASS line 1 extended permit ip 10.x.0.0 255.255.0.0 10.x.0.0 255.255.0.0
access-list BYPASS line 2 extended permit ip 10.x.0.0 255.255.0.0 10.y.0.0 255.255.0.0
access-list BYPASS line 3 extended permit ip 10.x.0.0 255.255.0.0 10.z.0.0 255.255.0.0
access-list BYPASS line 4 extended permit ip 10.x.0.0 255.255.0.0 192.168.x.0 255.255.255.0
 
nat (LAN) 0 access-list BYPASS

Open in new window

0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
poletayAuthor Commented:
Also, I noticed some strange message about my own ip address (10.x.z.2) being spoofing. 10.x.y.1 is the address of the PIX

Oct 08 2008 06:00:05: %PIX-2-106016: Deny IP spoof from (10.x.y.1) to 10.x.z.2 on interface KVS

Open in new window

0
 
PugglewuggleCommented:
It sounds like your PIX might be malfunctioning... contact Cisco TAC and have them analyze this with packet captures and such. They will be able to determine if your device is malfunctioning.
I recommend that you do this as your next step because this is a very strange combination of "attacks" that seem to come from inside... Is this a network that has untrusted users or is this a secured business network?
Please let me know so I can help!
Cheers!
0
 
poletayAuthor Commented:
This is the physically secured business network. Users are under AD/windows and cannot modify network settings, MS ISA guards the traffic, antivirus software enabled.
When using packet tracer in Cisco ASDM, I see some rules are being ignored in inbound acl, so it drops the packets by the implicit "deny any to any" rule. That's why I can't ssh.
0
 
PugglewuggleCommented:
Hmmm... that's rather disturbing then... you neet to contact TAC and get a full diagnostic run on the unit. There's got to be some problem with the PIX. I've seen this before and all 3 times we RMA'd the PIX. The new unit with the same config worked fine.
Get this fixed immediately - I don't want anything bad happening, and from what it sounds like, your PIX could poop out at any time.
Best of luck, I hope my advice has helped.
Cheers!
0
 
PugglewuggleCommented:
BTW I've only seen this on 2 515s and on 1 525... it doesn't seem to happen to the smaller ones for some reason. I'm not sure why it would affect the bigger units more (as the have ample cooling), but it does seem to.
Like I said, get TAC to check this out - that's not normal.
0
 
harbor235Commented:

Number one, there has been a lot of security advisories for Cisco products lately, I hope that you are operating from one of the latest and most stable versions of IOS, if not I would upgrade first.

Interface KVS is reporting this potential attack,, perhaps there is actual traffic being spoofed here. Look at your arp tables on the KVS network, look for an association to 10 x.y.1 that is different then the mac address on the firewall. interface,  If there is spoofed traffic then he will most likely have a different mac.
The key is to perform packet captures, know the mac adddress of the firewall and look for something different then the mac of the firewall then trace that mac address to a switch port and identify the host.

Also, I see you are using an active/standby configuration, did the config change sync properly? Have they went active active? Reboot the standby, make sure when the secondary comes up that it is sync'd properly then reset the Primary, make sure failover is working properly and all interfaces are monitored. Why does your config not have the failover IP for the outside interface? Can you post show failover? Could be a contention issue between the firewall pair.
Can we see the rest of your config?

harbor235 ;}

0
 
PugglewuggleCommented:
Yes, please do post your running-config again... I'd like to take a look at it with those changes. Maybe we missed something.
0
 
poletayAuthor Commented:
Hello to everyone. Thanks for ya comments. I localized problem cause to be at least three hosts and one of them is my own (look at acl TTK). Also, I noticed that now problem persist at night, beyond the working hours.

kln6-fw00# show ver

Cisco PIX Security Appliance Software Version 7.2(2)19
Device Manager Version 5.2(1)

Compiled on Fri 06-Apr-07 17:27 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Here's the most of the config, I ommited the other interfaces and the inbound acl tor outside interface. Nothing interesting there. Sorry, I can't disclose any real details.
hostname pixla
enable password /WEhTX4SoRXT89jB encrypted
names
dns-guard
 
interface Ethernet0
 description ------ OUTSIDE
 no nameif
 no security-level
 no ip address
!
interface Ethernet0.zzz
 description ----- OUTSIDE link
 vlan zzz
 nameif OUTSIDE
 security-level 10
 ip address (real).(net).184.4 255.255.255.240 
 ospf message-digest-key 1 md5 kazcing
 ospf authentication message-digest
!
interface Ethernet1.yyy
 vlan yyy
 nameif LAN
 security-level 50
 ip address (fake).(net).110.1 255.255.255.248 standby (fake).(net).110.2 
!
passwd 7KjQDb2Id8.3KYRU encrypted
banner motd Hostname $(hostname).$(domain)
boot system flash:/image.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list LAN_ACL extended permit ip (fake).(net).0.0 255.255.0.0 (fake).(one).0.0 255.255.248.0 
access-list LAN_ACL extended permit ip (fake).(net).0.0 255.255.0.0 (fake).(one).64.0 255.255.248.0 
access-list LAN_ACL extended permit ip (fake).(net).0.0 255.255.0.0 (fake).(one).16.0 255.255.240.0 
access-list LAN_ACL extended permit ip (fake).(net).0.0 255.255.0.0 (fake).(ten).14.0 255.255.255.0 
access-list LAN_ACL extended permit ip (fake).(net).0.0 255.255.0.0 (fake).(one).36.0 255.255.255.0 
access-list BYPASS_LOCAL extended permit ip (fake).(net).0.0 255.255.0.0 (fake).(net).0.0 255.255.0.0 
access-list BYPASS_LOCAL extended permit ip (fake).(net).0.0 255.255.0.0 (fake).(one).0.0 255.255.0.0 
access-list BYPASS_LOCAL extended permit ip (fake).(net).0.0 255.255.0.0 (fake).(two).0.0 255.255.0.0 
access-list BYPASS_LOCAL extended permit ip (fake).(net).0.0 255.255.0.0 (fake).(ten).14.0 255.255.255.0 
access-list BYPASS_LOCAL extended permit ip (fake).(net).3.0 255.255.255.0 (fake).(ten).122.0 255.255.255.248 
access-list BYPASS_LOCAL extended permit ip any (fake).(net).0.0 255.255.0.0 
access-list DENGA_STATION extended permit ip (fake).(net).81.64 255.255.255.192 any 
access-list DENGA_STATION extended permit ip (fake).(net).34.0 255.255.255.0 (real).(net).184.0 255.255.255.0 
access-list DENGA_STATION extended permit ip (fake).(net).32.0 255.255.255.0 any 
access-list DENGA_STATION extended permit ip (fake).(net).34.0 255.255.255.0 (real).(net).128.0 255.255.224.0 
access-list DENGA_STATION extended permit ip (fake).(net).34.0 255.255.255.0 10.246.0.0 255.255.0.0 
access-list LAN_access_in extended permit ip (fake).(net).34.0 255.255.255.0 any 
access-list LAN_access_in extended permit ip any object-group Support 
access-list LAN_access_in extended permit icmp (fake).(net).1.0 255.255.255.0 (fake).(net).100.0 255.255.255.0 
access-list LAN_access_in extended permit ip (fake).(net).1.0 255.255.255.0 (fake).(net).100.0 255.255.255.0 
access-list LAN_access_in extended permit ip (fake).(net).1.0 255.255.255.0 (fake).(net).3.0 255.255.255.0 
access-list LAN_access_in extended permit ip (fake).(net).32.0 255.255.255.0 (fake).(net).3.0 255.255.255.0 
access-list LAN_access_in extended permit ip (fake).(net).33.0 255.255.255.0 (fake).(net).3.0 255.255.255.0 
access-list LAN_access_in extended permit ip (fake).(net).35.0 255.255.255.0 (fake).(net).3.0 255.255.255.0 
access-list LAN_access_in extended permit ip (fake).(net).73.0 255.255.255.0 host (fake).(net).72.254 
access-list LAN_access_in extended permit ip host (fake).(net).73.12 host (fake).(net).3.6 
access-list LAN_access_in extended permit tcp host (fake).(net).32.14 host (fake).(net).72.254 eq ssh 
access-list LAN_access_in extended permit ip host (fake).(net).32.60 host (fake).(net).72.254 
access-list LAN_access_in extended permit tcp host (fake).(net).34.2 host (fake).(net).72.254 
access-list LAN_access_in extended permit tcp host (fake).(net).32.166 host (fake).(net).72.254 eq ssh 
access-list LAN_access_in extended permit tcp host (fake).(net).32.166 host (fake).(net).72.254 eq telnet 
access-list LAN_access_in extended permit tcp host (fake).(net).32.166 host (fake).(net).72.254 eq 8001 
access-list LAN_access_in extended permit tcp host (fake).(net).32.221 host (fake).(net).72.254 eq ssh 
access-list LAN_access_in extended permit tcp host (fake).(net).32.221 host (fake).(net).72.254 eq ftp 
access-list LAN_access_in extended permit tcp host (fake).(net).32.221 host (fake).(net).72.254 eq 8001 
access-list LAN_access_in extended permit tcp host (fake).(net).32.221 host (fake).(net).72.226 eq 2300 
access-list LAN_access_in extended permit tcp host (fake).(net).32.221 host (fake).(net).72.254 eq 8000 
access-list LAN_access_in extended permit icmp host (fake).(net).110.3 host (fake).(net).3.6 
access-list LAN_access_in extended permit ip (fake).(ten).122.0 255.255.255.248 host (fake).(net).3.19 
access-list LAN_access_in extended deny ip any (fake).(net).100.0 255.255.255.0 
access-list LAN_access_in extended deny ip any host (real).(net).184.19 
access-list LAN_access_in extended deny ip any host (real).(net).184.18 
access-list LAN_access_in extended deny ip any host (real).(net).184.17 
access-list LAN_access_in extended deny ip any (fake).(net).3.0 255.255.255.0 
access-list LAN_access_in extended deny ip any 10.222.0.0 255.255.0.0 
access-list LAN_access_in extended permit ip host (fake).(net).32.21 (fake).(net).0.0 255.255.0.0 
access-list LAN_access_in extended permit tcp host (fake).(net).32.21 83.217.39.0 255.255.255.0 
access-list LAN_access_in extended deny ip host (fake).(net).32.21 any 
access-list LAN_access_in extended permit ip (fake).(net).100.0 255.255.255.0 host (fake).(net).3.19 
access-list LAN_access_in extended permit udp any any eq domain 
access-list LAN_access_in extended permit ip host (fake).(net).81.66 any 
access-list LAN_access_in extended permit ip any host (fake).(net).34.2 
access-list LAN_access_in extended permit ip (fake).(net).32.0 255.255.252.0 any 
access-list LAN_access_in extended permit ip host (fake).(net).1.8 any 
access-list LAN_NAT_SRV extended permit udp host (fake).(net).1.6 any eq domain 
access-list LAN_NAT_SRV extended permit tcp host (fake).(net).1.6 any eq 123 
access-list LAN_NAT_SRV extended permit udp host (fake).(net).1.6 any eq ntp 
access-list LAN_NAT_SRV extended permit tcp host (fake).(net).1.10 host 80.253.4.44 eq www 
access-list KP extended permit ip host (fake).(net).1.130 any 
access-list TTK extended permit ip host (fake).(net).34.2 any 
access-list TTK extended permit ip host (fake).(net).34.50 any 
access-list TTK extended permit ip host (fake).(net).34.113 any 
pager lines 42
logging enable
logging timestamp
logging buffer-size 65535
logging console critical
logging monitor errors
logging buffered debugging
logging trap informational
logging asdm warnings
logging queue 1025
logging host LAN (fake).(net).1.6
mtu OUTSIDE 1500
mtu LAN 1500
ip local pool remote_users (fake).(net).48.2-(fake).(net).48.254 mask 255.255.255.0
ip local pool remote_admin (fake).(net).100.176-(fake).(net).100.184 mask 255.255.255.248
failover
failover replication http
failover link FAILOVER Ethernet5
failover interface ip FAILOVER (fake).(net).172.205 255.255.255.252 standby (fake).(net).172.206
monitor-interface OUTSIDE
monitor-interface LAN
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-521.bin
asdm history enable
arp timeout 14400
nat-control
global (OUTSIDE) 3 (real).(net).184.10
global (OUTSIDE) 2 (real).(net).184.12
global (OUTSIDE) 4 (real).(one).190.30
global (OUTSIDE) 5 (real).(two).118.12
nat (OUTSIDE) 0 access-list in-out
nat (LAN) 0 access-list BYPASS_LOCAL
nat (LAN) 3 access-list LAN_NAT_SRV
nat (LAN) 2 access-list DENGA_STATION
nat (LAN) 4 access-list KP
nat (LAN) 5 access-list TTK
static (LAN,OUTSIDE) tcp (real).(net).184.12 7000 (fake).(net).81.67 7000 netmask 255.255.255.255 
static (LAN,OUTSIDE) tcp (real).(net).184.12 64221 (fake).(net).32.221 3389 netmask 255.255.255.255 
static (LAN,OUTSIDE) tcp (real).(net).184.12 3389 (fake).(net).34.113 3389 netmask 255.255.255.255 
static (LAN,OUTSIDE) tcp (real).(net).184.12 3390 (fake).(net).32.15 3389 netmask 255.255.255.255 
static (LAN,OUTSIDE) tcp (real).(net).184.12 3391 (fake).(net).32.30 3389 netmask 255.255.255.255 
static (LAN,OUTSIDE) tcp (real).(net).184.12 3392 (fake).(net).32.33 3389 netmask 255.255.255.255 
static (LAN,OUTSIDE) tcp (real).(net).184.12 6888 (fake).(net).34.2 3389 netmask 255.255.255.255 
static (LAN,OUTSIDE) (real).(net).184.10 (fake).(net).1.8 netmask 255.255.255.255 
static (LAN,OUTSIDE) (real).(one).190.31 (fake).(net).1.6 netmask 255.255.255.255 
access-group from_outside in interface OUTSIDE
access-group LAN_access_in in interface LAN
route OUTSIDE 0.0.0.0 0.0.0.0 (real).(net).184.1 1
route LAN (fake).(net).33.0 255.255.255.0 (fake).(net).110.3 1
route LAN (fake).(net).1.0 255.255.255.0 (fake).(net).110.3 1
route LAN (fake).(net).32.0 255.255.255.0 (fake).(net).110.3 1
route LAN (fake).(net).34.0 255.255.255.0 (fake).(net).110.3 1
route LAN (fake).(net).35.0 255.255.255.0 (fake).(net).110.3 1
route LAN (fake).(net).73.0 255.255.255.0 (fake).(net).110.3 1
route LAN (fake).(net).81.64 255.255.255.192 (fake).(net).110.3 1
route LAN (fake).(ten).122.0 255.255.255.248 (fake).(net).110.3 1
 
router ospf 10
 network (fake).(net).100.0 255.255.255.0 area 0
 network (real).(net).184.0 255.255.255.240 area 0
 log-adj-changes
 redistribute static
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy remote_admin internal
group-policy remote_admin attributes
 dns-server value (fake).(net).1.6 (fake).(net).1.8
 ip-comp enable
 split-tunnel-policy tunnelall
 default-domain value some.dummy.dj
 client-firewall none
group-policy remote_users internal
group-policy remote_users attributes
 dns-server value (fake).(net).1.6 (fake).(net).1.8
 ip-comp enable
 split-tunnel-policy tunnelall
 default-domain value some.dummy.dj
aaa authentication http console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
http server enable
http (fake).(net).0.0 255.255.0.0 DENGA
http (fake).(net).1.0 255.255.255.0 LAN
http (fake).(net).34.2 255.255.255.255 LAN
snmp-server host DENGA (fake).(net).3.19 poll community simbaka
no snmp-server location
no snmp-server contact
snmp-server community simbaka
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet (fake).(net).1.0 255.255.255.0 LAN
telnet timeout 5
ssh (real).(net).184.64 255.255.255.255 OUTSIDE
ssh (real).(net).184.65 255.255.255.255 OUTSIDE
ssh xxx.38.97.21 255.255.255.255 OUTSIDE
ssh xxx.33.8.160 255.255.255.240 OUTSIDE
ssh xxx.217.38.0 255.255.255.0 OUTSIDE
ssh (fake).(net).34.2 255.255.255.255 LAN
ssh timeout 5
ssh version 1
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
class-map bandw_test
 match access-list 120
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
  inspect icmp 
  inspect snmp 
  inspect dns migrated_dns_map_1 
policy-map bandw_test
 class bandw_test
  police output 800000
service-policy global_policy global
ntp server (real).(net).184.1
ssl encryption des-sha1 rc4-md5
:end

Open in new window

0
 
PugglewuggleCommented:
I honestly see no problem with your config. Your next step should be to contact Cisco TAC and open a P1 case and get an engineer to determine what the problem is or if your PIX is bad.
Cheers!
0
 
harbor235Commented:

I just wonder if failover is causing you some issues, try this
I have still not seen the output of the "show failover",

Remove the old failover config and do the primary do the following, Iassume e5 is a dedicated interface for failover
and is connected to a switch in a dedicated vlan, the secondary port is in the vlan as well?

failover                                          
failover lan unit primary                                          
failover lan interface failover Ethernet5                              
failover key cisco                                          
failover interface ip failover (fake).(net).172.205 255.255.255.252 standby (fake).(net).172.206
                                                                  
On the secondary do the following;
                              
failover                                          
failover lan unit secondary                                          
failover lan interface failover Ethernet5                                    
failover key cisco                                          
failover interface ip failover (fake).(net).172.205 255.255.255.252 standby (fake).(net).172.206

Interfaces are monitored by default and do not need specific monitor commands unless you use subinterfaces.
Once configures issue the command " write memory" on the primary, very it sync'd

harbor235 ;}                        
0
 
harbor235Commented:
Sorry for the typos;

I just wonder if failover is causing you some issues, try this.
I have still not seen the output of the "show failover",

Remove the old failover config and do the following, I assume e5 is a dedicated interface for failover
and is connected to a switch in a dedicated vlan the secondary port is in the vlan as well?

failover                                          
failover lan unit primary                                          
failover lan interface failover Ethernet5                              
failover key cisco                                          
failover interface ip failover (fake).(net).172.205 255.255.255.252 standby (fake).(net).172.206
                                                                 
On the secondary do the following;
                             
failover                                          
failover lan unit secondary                                          
failover lan interface failover Ethernet5                                    
failover key cisco                                          
failover interface ip failover (fake).(net).172.205 255.255.255.252 standby (fake).(net).172.206

Interfaces are monitored by default and do not need specific monitor commands unless you use subinterfaces.
Once configures issue the command " write memory" on the primary, very it sync'd

harbor235 ;}                        
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 5
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now