Yes, all inside users currently use 1.1.1.1 as the outside natted address and all works.

I am trying to limit Land Attack errors from false positives so we know when a real Land Attack occurs.

I know the traffic gets dropped but if I add an ACL would the traffic log as regular deny instead of logging a land attack?

Hello,

Yes, I understand what you are saying. Doing a little bit of research on this I have found the following information that might help you regarding this problem.

What is Land attack?
A land attack is a remote denial-of-service (DOS) attack caused by  sending a packet to a machine with the source host/port the same as the  destination host/port.

How do you troubleshoot ?

Error Message    %PIX|ASA-2-106017: Deny IP due to Land Attack from IP_address to
IP_address

Explanation    The security appliance received a packet with the IP source address equal
to the IP destination, and the destination port equal to the source port. This message
indicates a spoofed packet that is designed to attack systems. This attack is referred to
as a Land Attack.

Recommended Action    If this message persists, an attack may be in progress. The packet
does not provide enough information to determine where the attack originates.

Step 1: You need to find out the packet flow
Step 2: In order to fetch the packet flow, please capture the pcap in  all the interfaces (it will give lot of information including mac  address)
Step 3: If you have a firewall deployed between the source and  destinations, they its already blocked. However it will display in the  logs as blocked often
Step 4: If you see the Public IP, it may get statically natted  somewhere. so please try removing the static entry and observe the logs  (this is workaround)
Step 5: You can execute the shun command in the firewall (if cisco) to tell the device to discard the packet from processing.

Hope this information helps,

Regads,

Julio

I have already taken the dump and verified the traffic to be legit.

Again, If I ping my nat public address I can produce a Land Attack.

I just want to prevent regular traffic from sending off Land Attack errors.

Hello,

The thing is that traffic is going to be denied by default by the ASA so if you create and ACL for that the result is going to be the same, just that you are going to receive a different message. Check out the followin procesure.

     -If you place this command you are going to avoid that message:

               -no logging message 106017

Hope that one helps.

Regards,

Julio

Hi,

You would never be able to ping a remote interface from the ASA, it would always be denied, in your case whats happening is, you are trying to ping the the outside interface, the rrequest first goes to the internet for resolution and then is redirceted back to the ASA outside interface, and now the firewall sees the source and destination being the same and reports land attack. So I am not sure why you are trying it and what exactly is your requirement? If you can explain it maybe we can let you know if its possible?

Thanks,

Varun

From the original post, I just used ping to reproduce the error that I get from time to time on my asa from other user traffic.

When a land attack happens I check the the captured data and see what caused it and it is because of some nat traversal traffic that sends data to the nat public address.

I just want for this traffic to not show up as a land attack since it is a false positive.

Sent from Cisco Technical Support iPad App

Hello,

As I explained before you are going to keep receiving this messages unless you disable the message 106017, that is the only solution because the ASA as a security device is going to log this situation every single time it happens as it seems to be an attack.

Hope you have a great day.

Julio

I was able to test an ACL on a spare ASA and it did work.

When there is no ACL, the land attack is logged which is correct as it can't connect to itself.

When I add the ACL denying access to its nat address it is logged as a deny.

access-list inside_access_in extended deny ip host 192.168.0.254 host 1.1.1.1

This is the default action when Dynamic NAT is configured for an interface and not an address pool.

global (outside) 1 interface

nat (inside) 1 192.168.0.0 255.255.255.0

If Dynamic NAT uses a different IP address a Land Attack is logged unless an ACL denies it first.

global (outside) 1 1.1.1.1 netmask 255.255.255.0

nat (inside) 1 192.168.0.0 255.255.255.0