Re: Firewall log interpretation.

w-asaadmin · ‎03-05-2008

Hello All,

I just installed my ASA 5505 and the firewall log showed that it denied a connection from Ip address 74.9.151.50 every second. Please see the attached file.

What does the log message indicate and how to stop

ip address 74.9.151.50 from attacking my ASA.

Thank you for your help!!

brettmilborrow · ‎03-05-2008

do you have an icmp policy configured on your asa?

Try the following to check:

sh run | grep icmp

w-asaadmin · ‎03-06-2008

Thanks,

Here is the output:

ASA-ST# sh run | grep icmp

icmp unreachable rate-limit 1 burst-size 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

brettmilborrow · ‎03-06-2008

The icmp type and code is the clue here, Type 11 code 0 = Time to Live exceeded in Transit.

This generally points to a routing loop in a path to a particular host. However, these blocked packets could be response packets to an outbound traceroute test.

w-asaadmin · ‎03-06-2008

Thanks again,

What would you recommend?

brettmilborrow · ‎03-06-2008

Well, I would check to see if someone was trying a traceroute test at the time.

It all depends if you want to allow traceroutes out of your network. If not, do nothing, your firewall is working as it should.

If you do, you will need to allow the icmp packets back into your network using an ACL.