I have been getting some Land Attack errors in my ASA logs recently so I captured some traffic to analyze.
ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1
During a Land Attack, the capture shows an inside address trying to send traffic to the nat address and this may be some program trying to use nat traversal.
192.168.0.100:52000 > 1.1.1.1:28000: udp 28
I was also able to reproduce a Land Attack by pinging 1.1.1.1 from the inside address of 192.168.0.100.
Can I just configure an ACL that prevents 192.168.0.0/24 from connected to the nat address of 1.1.1.1?
Or is my nat configuration wrong?
Current nat configuration.
version 8.2.4
nat-control
global (outside) 1 1.1.1.1 netmask 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.255.0