?
Solved

Deny inbound UDP

Posted on 2009-02-10
19
Medium Priority
?
6,481 Views
Last Modified: 2012-05-06
Hello

Does anyone know what this log means?

<162>Dec 18 2008 12:40:21 asafw : %ASA-2-106006: Deny inbound UDP from 172.16.1.1/2675 to 192.168.255.1/4419 on interface inside

I checked on Cisco's Web site section for Syslog message and got this info but it doesn't give me much feedback:

106006

Error Message    %ASA-2-106006: Deny inbound UDP from outside_address/outside_port to
inside_address/inside_port on interface interface_name.

Explanation    This is a connection-related message. This message is displayed if an inbound UDP packet is denied by the security policy that is defined by the specified traffic type.

Recommended Action    None required.

Any help you can provide will be grateful!

D
0
Comment
Question by:dholbanga
  • 10
  • 9
19 Comments
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 1500 total points
ID: 23604404
Is 192.168.255.1 the ASA inside interface IP address?  All it means is that the 172.16.1.1 host send a UDP packet to 192.168.255.1 with a destination port of 4419.  The ASA dropped this packet as it isn't accepting connections on that port.  This is nothing to worry about unless you are receiving thousands of these messages.  If that is the case, you may want to look at the 172.16.1.1 host and determine what app is sending that traffic.
0
 

Author Comment

by:dholbanga
ID: 23604977
The subnet 192.168.255.0 does not exist on our network.  So does that mean that the host 172.16.1.1 is running a scanner on our network looking to place an attack of some sort?
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 1500 total points
ID: 23605031
Not necessarily, the ASA is going to see any traffic destined to unknown networks since it is the default gateway to the Internet.  You would have to go back to the 172.16.1.1 host and determine what app is initiating this traffic.  Could simply be a misconfiguration of an app.  Again though, unless you are seeing thousands and thousands of these connections, I really wouldn't worry about it, the ASA is doing what it is supposed to be doing.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:dholbanga
ID: 23605330
But I do wonder if the user is doing anything to scan the network and plan any unnecessary attacks.  That's all.  I see a lot of these attempts each day.  Same with land attacks.  

Are land attacks something to worry about?  I get these messages daily:

unknown   172.58.1.99   unknown   09 Feb 2009, 07:03:04   %asa-2-106017: deny ip due to land attack from 172.58.1.99 to 172.58.1.199  
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 1500 total points
ID: 23607241
Land attacks are when a packet is received with the same source and destination IP address.  I have seen this before with Avaya VoIP phones.  You would again have to track down on the host what is sending this traffic.  
0
 

Author Comment

by:dholbanga
ID: 23611078
So that means there is a potential insider who is trying to do an attack?  Or would it be a device?  It's hard to say when you get a MAC address and cannot find it.  What do you suggest I do?  Do captures on the network to find the culprit/source?
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 1500 total points
ID: 23611158
Could simply be a misconfiguration or normal operation in the case of Avaya phones.  It may not be malicious at all but to know for sure, you would need find the IP address of the source workstation when it is occurring and take a look at the machine/device.  A packet capture isn't probably going to provide you any more information than source/dest IP address which you already see in the log messages.
0
 

Author Comment

by:dholbanga
ID: 23611280
A capture would provide the MAC address though.  We don't have any IP phones in our environment.  What is the best way to find the source?  What do you suggest?
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 1500 total points
ID: 23611324
Is the Firewall the gateway or is an internal router?  On the router or Firewall, do a "show arp" and look for the IP address in question to get the MAC address.
0
 

Author Comment

by:dholbanga
ID: 23611548
The firewall is at the edge of the network but it is not the gateway.  We have 2 switches running HSRP before the firewall.
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 1500 total points
ID: 23611614
Okay, so on the switches, look in the ARP table for the IP address and you can get the MAC address from there:

show arp
0
 

Author Comment

by:dholbanga
ID: 23611707
Thanks.  I did a "sh arp" on the firewall and the two core switches and could not find that IP address.  Maybe this is a spoofed IP that's why it's not showing up?  The last connection happened at 7:23 AM this morning and I know the ARP is not clearing out 100% because I see old IP addresses in here that have not been used in over a month.
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 1500 total points
ID: 23611755
You are looking for the source IP address, right? 172.16.1.1?
0
 

Author Comment

by:dholbanga
ID: 23612034
Yes this is what I was looking for and it does not appear in the arp cache in either of the three places: firewall, core switch 1 and core switch 2.  Now I'm confused
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 1500 total points
ID: 23612145
Well, they time/age out of the table or if the subnet doesn't exist, you won't see an ARP entry.  Next time you see it, ping the IP address from the router/switch that has the local subnet attached and look at the ARP table.  The ping will refresh it.
0
 

Author Comment

by:dholbanga
ID: 23612234
Once I find the MAC address... Is there an easy way to locate a device on a network with thousands of network connections?  Or is there a way to block the MAC address out of the network from the firewall?
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 1500 total points
ID: 23612326
You don't want to block it since you don't know if it is legitimate or not.  As along as you have managed switches throughout the network, you can track down the MAC address using the "show mac-add add <mac address>" command assuming Cisco switches.  Keep hopping switch to switch until you find the end user port.
0
 

Author Comment

by:dholbanga
ID: 23613052
That is really good advice!  But what's the command to block our a MAC address from the ASA firewall?  If there is such a command.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1500 total points
ID: 23613070
Not by MAC address, you would need to specify the IP address.  Keep in mind that the Firewall is dropping the traffic already which is the same thing it would do with a MAC filter anyway...
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Integration Management Part 2
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month17 days, 12 hours left to enroll

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question