07-27-2011 09:05 AM - edited 03-11-2019 02:04 PM
I've just taken over a new network with a Cisco ASA5520. Everything is working fine, except I am being bombarded with 106001 alerts from a few internal hosts to one specific internal host. The description in general is "Inbound TCP connection denied from 10.1.0.1 to 10.1.0.5 - both of those are valid internal hosts and the TCP ports are also valid. I tried looking at the log and getting it me to tell me which rule was causing these alerts, but it just came back with 'It's not possible for these type of alerts'
I have three questions:
- How is it possible for the ASA to even pick up on this when, in theory, the source host wouldn't be going near the ASA since it's on the same subnet?
- What might be causing this?
- How can I turn it off!! (I guess that'd be fixed by point 2)
Thanks
Richard
07-27-2011 09:15 AM
Hi Richard,
This log would be generated whenever the connection is denied due to any reason by the firewall, could be anything, access-rule. So you see them in the logs. If you want to turn them off, you can use the command:
no logging message 106001
They might be valid hosts but according to rules defined on firewall they might not be allowed to talk to eachother.
this would help you:
http://www.cisco.com/en/US/customer/docs/security/asa/asa82/system/message/logmsgs.html#wp4768860
Hope this helps,
Thanks,
Varun
07-27-2011 09:15 AM
I believe an incorrect subnet mask on one or more of the internal hosts could cause this error to show up.
08-01-2011 05:18 AM
Thanks for the advice guys.
Varun, I understand that the log would appear due to access-rules etc... but I don't understand how/why the firewall is getting in on the act when both hosts are on the same LAN? The host isn't going to send packets to the firewall, rather broadcast to the switches and wait for a reply. I could use the link, it wanted me to login and my details wouldn't work.
Tom, I've checked for subnet settings, but they look fine. It would have be nice for it to have been that simple!
Any other advice would be welcome. I'd rather not turn off the alert, I know it's not doing any damage but something isn't quite right!
08-01-2011 05:27 AM
Hi Richard,
Then it could be one of the following issues:
If you have the same subnet being defined on any other interface on the firewall
or if you ahve any static statement being configured for it.
Could you provide a show run from the firewall??
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide