03-27-2012 06:36 AM - edited 03-11-2019 03:47 PM
Hi all,
I have one constant syslog message in my ASA 5520, everyday i have this message:
%ASA-4-106023: Deny Deny icmp src DMZ:X dst INTERNA: Y
But the source is a Public Ip X sending to Y a Private ip in my network. my DMZ have access to the internet .The destinations are the same everyday. this privates ips belong to computers, ups and printers.
why the public ip´s are sending ICMP request to this devices on my internal network?
Regards.
Solved! Go to Solution.
03-27-2012 02:11 PM
All of these addresses are registered to telecommunications companies in Russia, Georgia, Spain, Portugal, and S. Korea. (I had listed some more specific information but for some reason the forum software refused to accept it)
If you want to know more I would set up some ACLs and run a packet capture to see what ports the internal addresses are trying to connect to.
03-28-2012 06:58 AM
Actually, the ICMP time-exceeded and destination unreachable messages will not come from the final destination of the packet that caused them. They will come from some intermediate router, which helps explain why all the source addresses in your messages are registered to telecoms. So to capture this traffic, you need to focus on the source addresses.
Create an access list to identify the traffic you want to capture. Something like
access-list cap1 permit ip host 192.168.99.2 any
access-list cap1 permit ip host 192.168.102.10 any
.... etc.
then set up a capture on your DMZ interface
capture x access-list cap1 interface DMZ
You might want to make the capture buffer circular and possibly increase the buffer size. I don't know how much traffic you are dealing with. You can puzzle that out on the command line with ?, or the full syntax is of course in the command ref:
http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/c1.html#wp2129312
You can view the capture directly on the appliance with show commands... and I seem to recall that there is some way to do it with a browser too. But I usually copy the captured traffic to somewhere I can get at it with wireshark:
capture /pcap capture:cap1 tftp://......
03-27-2012 11:13 AM
But the message indicates that the ICMP traffic is coming from your DMZ interface. Do you also have an outside interface?
03-27-2012 12:28 PM
Thank for asnwering Jedavis
Yes i have a Outside interface is directed connect to other branch´s for the network.
The DMZ it´s conect to another Firewall watchguard, and the watchguard to the WAN. it´s complicated but it´s a network for one of our customers.
btw i see in the ICMP message that (type 3) (Type 11), i read for this and it´s for Destination Unreachable and Time Exceeded. Could be that my private ips are making a query to those IP's public and the Access List of the ASA deny the reply for this ICMP message request. ?
Regards
03-27-2012 12:34 PM
Yes, it sounds like you have an internal client that is generating some traffic to addresses that don't exist.
03-27-2012 01:01 PM
These are the ip's that may be generating traffic.
192.168.99.20 ups liberti 15 kva
192.168.102.10 Printer
192.168.111.11,192.168.111.12 (2 PC´s )
It´s posible that the 2 computers generating this traffic, but the printer and the ups, how they can generate that traffic.
What do you recomend me ?
i´m going to scan with a antivirus and spyware those two computer,but the other 2 the printer and UPS.
Regards.
03-27-2012 01:12 PM
I don't know that I would worry too much about it. Is the destination address the same for all 4 internal IPs or is it different? What are the addresses they are trying to get to?
03-27-2012 01:28 PM
Diferents sources ip like:
%ASA-4-106023: Deny icmp src DMZ:178.134.240.2 dst INTERNA:192.168.111.12 (type 11, code 0)
%ASA-4-106023: Deny icmp src DMZ:77.37.254.198 dst INTERNA:192.168.111.12 (type 11, code 0)
%ASA-4-106023: Deny icmp src DMZ:212.106.216.218 dst INTERNA:192.168.111.12 (type 11, code 0)
%ASA-4-106023: Deny icmp src DMZ:195.8.10.206 dst INTERNA:192.168.111.12 (type 11, code 0)
%ASA-4-106023: Deny icmp src DMZ:112.174.81.21 dst INTERNA:192.168.111.11 (type 11, code 0)
%ASA-4-106023: Deny icmp src DMZ:195.144.193.102 dst INTERNA:192.168.111.11 (type 11, code 0)
%ASA-4-106023: Deny icmp src DMZ:78.110.144.136 dst INTERNA:192.168.111.11 (type 0, code 0)
All of this icmp message deny by access-group DMZ-IN [0x0, 0x0].
regards.
03-27-2012 02:11 PM
All of these addresses are registered to telecommunications companies in Russia, Georgia, Spain, Portugal, and S. Korea. (I had listed some more specific information but for some reason the forum software refused to accept it)
If you want to know more I would set up some ACLs and run a packet capture to see what ports the internal addresses are trying to connect to.
03-28-2012 06:26 AM
I agree, in what way i could make the packet capture?, Sorry if i don´t know .. Thanks For all !
03-28-2012 06:58 AM
Actually, the ICMP time-exceeded and destination unreachable messages will not come from the final destination of the packet that caused them. They will come from some intermediate router, which helps explain why all the source addresses in your messages are registered to telecoms. So to capture this traffic, you need to focus on the source addresses.
Create an access list to identify the traffic you want to capture. Something like
access-list cap1 permit ip host 192.168.99.2 any
access-list cap1 permit ip host 192.168.102.10 any
.... etc.
then set up a capture on your DMZ interface
capture x access-list cap1 interface DMZ
You might want to make the capture buffer circular and possibly increase the buffer size. I don't know how much traffic you are dealing with. You can puzzle that out on the command line with ?, or the full syntax is of course in the command ref:
http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/c1.html#wp2129312
You can view the capture directly on the appliance with show commands... and I seem to recall that there is some way to do it with a browser too. But I usually copy the captured traffic to somewhere I can get at it with wireshark:
capture /pcap capture:cap1 tftp://......
03-29-2012 08:30 AM
Hi jedavis
When i want to open the firts link and the second i can´t open. when i try to open the first link the page send This message "Forbidden File or Application", and the second when i try to open the windows doesn´t show anything.
regards.
03-30-2012 06:56 AM
The first link works for me. It points to the description of the capture command in the Cisco ASA 5500 Series Command Reference, 8.2. You need to be logged into CCO to get to it. Here is a link to the same info that doesn't require a login:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312
The second link was not even supposed to be a link, it appears the forum software converted it to one.
I did just notice that my example is a little misleading, in that in the capture command I named the capture "x" and in the copy command I used the name "cap1". The correct copy command in the example would be:
capture /pcap capture:x <destination url>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide