cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
453
Views
0
Helpful
5
Replies

Firewall log interpretation.

w-asaadmin
Beginner
Beginner

Hello All,

I just installed my ASA 5505 and the firewall log showed that it denied a connection from Ip address 74.9.151.50 every second. Please see the attached file.

What does the log message indicate and how to stop

ip address 74.9.151.50 from attacking my ASA.

Thank you for your help!!

5 Replies 5

brettmilborrow
Beginner
Beginner

do you have an icmp policy configured on your asa?

Try the following to check:

sh run | grep icmp

Thanks,

Here is the output:

ASA-ST# sh run | grep icmp

icmp unreachable rate-limit 1 burst-size 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

The icmp type and code is the clue here, Type 11 code 0 = Time to Live exceeded in Transit.

This generally points to a routing loop in a path to a particular host. However, these blocked packets could be response packets to an outbound traceroute test.

Thanks again,

What would you recommend?

Well, I would check to see if someone was trying a traceroute test at the time.

It all depends if you want to allow traceroutes out of your network. If not, do nothing, your firewall is working as it should.

If you do, you will need to allow the icmp packets back into your network using an ACL.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers