Solved: %ASA-4-106023

adansuris16 · ‎03-27-2012

Hi all,

I have one constant syslog message in my ASA 5520, everyday i have this message:

%ASA-4-106023: Deny Deny icmp src DMZ:X dst INTERNA: Y

But the source is a Public Ip X sending to Y a Private ip in my network. my DMZ have access to the internet .The destinations are the same everyday. this privates ips belong to computers, ups and printers.

why the public ip´s are sending ICMP request to this devices on my internal network?

Regards.

jedavis · ‎03-27-2012

All of these addresses are registered to telecommunications companies in Russia, Georgia, Spain, Portugal, and S. Korea. (I had listed some more specific information but for some reason the forum software refused to accept it)

If you want to know more I would set up some ACLs and run a packet capture to see what ports the internal addresses are trying to connect to.

View solution in original post

jedavis · ‎03-28-2012

Actually, the ICMP time-exceeded and destination unreachable messages will not come from the final destination of the packet that caused them. They will come from some intermediate router, which helps explain why all the source addresses in your messages are registered to telecoms. So to capture this traffic, you need to focus on the source addresses.

Create an access list to identify the traffic you want to capture. Something like

access-list cap1 permit ip host 192.168.99.2 any

access-list cap1 permit ip host 192.168.102.10 any

.... etc.

then set up a capture on your DMZ interface

capture x access-list cap1 interface DMZ

You might want to make the capture buffer circular and possibly increase the buffer size. I don't know how much traffic you are dealing with. You can puzzle that out on the command line with ?, or the full syntax is of course in the command ref:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/c1.html#wp2129312

You can view the capture directly on the appliance with show commands... and I seem to recall that there is some way to do it with a browser too. But I usually copy the captured traffic to somewhere I can get at it with wireshark:

capture /pcap capture:cap1 tftp://......

View solution in original post

jedavis · ‎03-27-2012

But the message indicates that the ICMP traffic is coming from your DMZ interface. Do you also have an outside interface?

adansuris16 · ‎03-27-2012

Thank for asnwering Jedavis

Yes i have a Outside interface is directed connect to other branch´s for the network.

The DMZ it´s conect to another Firewall watchguard, and the watchguard to the WAN. it´s complicated but it´s a network for one of our customers.

btw i see in the ICMP message that (type 3) (Type 11), i read for this and it´s for Destination Unreachable and Time Exceeded. Could be that my private ips are making a query to those IP's public and the Access List of the ASA deny the reply for this ICMP message request. ?

Regards

jedavis · ‎03-27-2012

Yes, it sounds like you have an internal client that is generating some traffic to addresses that don't exist.

adansuris16 · ‎03-27-2012

These are the ip's that may be generating traffic.

192.168.99.20 ups liberti 15 kva

192.168.102.10 Printer

192.168.111.11,192.168.111.12 (2 PC´s )

It´s posible that the 2 computers generating this traffic, but the printer and the ups, how they can generate that traffic.

What do you recomend me ?

i´m going to scan with a antivirus and spyware those two computer,but the other 2 the printer and UPS.

Regards.

jedavis · ‎03-27-2012

I don't know that I would worry too much about it. Is the destination address the same for all 4 internal IPs or is it different? What are the addresses they are trying to get to?

adansuris16 · ‎03-27-2012

Diferents sources ip like:

%ASA-4-106023: Deny icmp src DMZ:178.134.240.2 dst INTERNA:192.168.111.12 (type 11, code 0)

%ASA-4-106023: Deny icmp src DMZ:77.37.254.198 dst INTERNA:192.168.111.12 (type 11, code 0)

%ASA-4-106023: Deny icmp src DMZ:212.106.216.218 dst INTERNA:192.168.111.12 (type 11, code 0)

%ASA-4-106023: Deny icmp src DMZ:195.8.10.206 dst INTERNA:192.168.111.12 (type 11, code 0)

%ASA-4-106023: Deny icmp src DMZ:112.174.81.21 dst INTERNA:192.168.111.11 (type 11, code 0)

%ASA-4-106023: Deny icmp src DMZ:195.144.193.102 dst INTERNA:192.168.111.11 (type 11, code 0)

%ASA-4-106023: Deny icmp src DMZ:78.110.144.136 dst INTERNA:192.168.111.11 (type 0, code 0)

All of this icmp message deny by access-group DMZ-IN [0x0, 0x0].

regards.

jedavis · ‎03-27-2012

All of these addresses are registered to telecommunications companies in Russia, Georgia, Spain, Portugal, and S. Korea. (I had listed some more specific information but for some reason the forum software refused to accept it)

If you want to know more I would set up some ACLs and run a packet capture to see what ports the internal addresses are trying to connect to.

adansuris16 · ‎03-28-2012

I agree, in what way i could make the packet capture?, Sorry if i don´t know .. Thanks For all !

jedavis · ‎03-28-2012

Actually, the ICMP time-exceeded and destination unreachable messages will not come from the final destination of the packet that caused them. They will come from some intermediate router, which helps explain why all the source addresses in your messages are registered to telecoms. So to capture this traffic, you need to focus on the source addresses.

Create an access list to identify the traffic you want to capture. Something like

access-list cap1 permit ip host 192.168.99.2 any

access-list cap1 permit ip host 192.168.102.10 any

.... etc.

then set up a capture on your DMZ interface

capture x access-list cap1 interface DMZ

You might want to make the capture buffer circular and possibly increase the buffer size. I don't know how much traffic you are dealing with. You can puzzle that out on the command line with ?, or the full syntax is of course in the command ref:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/c1.html#wp2129312

You can view the capture directly on the appliance with show commands... and I seem to recall that there is some way to do it with a browser too. But I usually copy the captured traffic to somewhere I can get at it with wireshark:

capture /pcap capture:cap1 tftp://......

adansuris16 · ‎03-29-2012

Hi jedavis

When i want to open the firts link and the second i can´t open. when i try to open the first link the page send This message "Forbidden File or Application", and the second when i try to open the windows doesn´t show anything.

regards.

jedavis · ‎03-30-2012

The first link works for me. It points to the description of the capture command in the Cisco ASA 5500 Series Command Reference, 8.2. You need to be logged into CCO to get to it. Here is a link to the same info that doesn't require a login:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312

The second link was not even supposed to be a link, it appears the forum software converted it to one.

I did just notice that my example is a little misleading, in that in the capture command I named the capture "x" and in the copy command I used the name "cap1". The correct copy command in the example would be:

capture /pcap capture:x <destination url>