12-02-2010 05:00 AM - edited 03-11-2019 12:17 PM
Greetings,
We have a web server on our inside network behind our ASA that's "talking" to itself from it's internal IP to it's NAT IP:
1: 14:09:02.316344 172.16.0.166.51676 > 1.2.3.4.80: S 818099150:818099150(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2: 14:09:05.318953 172.16.0.166.51676 > 1.2.3.4.80: S 818099150:818099150(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
The vendor is attempting to allow an external session the ability to download a PDF file from the server - and the Land Attack block is preventing that from occurring.
The web server vendor is insisting that this should be allowed. I'm not in agreement, but I don't know enough about this issue to argue that point.
If this needs to be allowed - is there a way to do so on the ASA?
Thanks.
12-02-2010 05:07 AM
Please check with "show capture NAME detail" what mac addresses are indicated as source and destination. This looks to me like a packet looping and not typical LAND attack.
Note that on TCP level it's SAME exact packet - based on ISN 818099150
Marcin
12-02-2010 11:22 AM
Hi Marcin,
Here are the sho cap details:
Result of the command: "sh cap capi detail | in 1.2.3.4"
1: 13:58:40.390192 0022.5560.3601 0013.c480.5e0b 0x0800 66: 172.16.0.166.56581 > 1.2.3.4.80: S [tcp sum ok] 2272504169:2272504169(0) win 8192
2: 13:58:43.390833 0022.5560.3601 0013.c480.5e0b 0x0800 66: 172.16.0.166.56581 > 1.2.3.4.80: S [tcp sum ok] 2272504169:2272504169(0) win 8192
3: 13:58:49.391825 0022.5560.3601 0013.c480.5e0b 0x0800 62: 172.16.0.166.56581 > 1.2.3.4.80: S [tcp sum ok] 2272504169:2272504169(0) win 8192
I guess this shows the same MAC for both source and destination?
Thanks.
12-02-2010 02:58 PM
Indeed same source and destination mac address shows that packet is not looping.
What's the message exactly in the ASA logs and if you could put things in perspective (topology etc).IP addresses involve don't make much sense to me.
In anyway there is no way to disable the LAND attack check in code, but there were instances where it was printed out without need.
Vide:
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide