I've just taken over a new network with a Cisco ASA5520. Everything is working fine, except I am being bombarded with 106001 alerts from a few internal hosts to one specific internal host. The description in general is "Inbound TCP connection denied from 10.1.0.1 to 10.1.0.5 - both of those are valid internal hosts and the TCP ports are also valid. I tried looking at the log and getting it me to tell me which rule was causing these alerts, but it just came back with 'It's not possible for these type of alerts'
I have three questions:
- How is it possible for the ASA to even pick up on this when, in theory, the source host wouldn't be going near the ASA since it's on the same subnet?
- What might be causing this?
- How can I turn it off!! (I guess that'd be fixed by point 2)
This log would be generated whenever the connection is denied due to any reason by the firewall, could be anything, access-rule. So you see them in the logs. If you want to turn them off, you can use the command:
no logging message 106001
They might be valid hosts but according to rules defined on firewall they might not be allowed to talk to eachother.
this would help you:
Hope this helps,
Thanks for the advice guys.
Varun, I understand that the log would appear due to access-rules etc... but I don't understand how/why the firewall is getting in on the act when both hosts are on the same LAN? The host isn't going to send packets to the firewall, rather broadcast to the switches and wait for a reply. I could use the link, it wanted me to login and my details wouldn't work.
Tom, I've checked for subnet settings, but they look fine. It would have be nice for it to have been that simple!
Any other advice would be welcome. I'd rather not turn off the alert, I know it's not doing any damage but something isn't quite right!
Then it could be one of the following issues:
If you have the same subnet being defined on any other interface on the firewall
or if you ahve any static statement being configured for it.
Could you provide a show run from the firewall??