Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
6
Replies

Tow ASA-5520 problem

emad.silicon
Level 1
Level 1

‎11-01-2007 11:56 AM - edited ‎03-09-2019 07:11 PM

Hi all team :

I have two ASA connected together one with IPS module and the another with AntiX module, the inside interface of the first one is connected to the outside of second one

The first one have default route to the ISP “internet” and the second have default route to the first one , I don't do static in the first one coz all IP are public and I run ver 7.2 on both ASA so all my ASA will work like a router , well my problem is the second ASA can not get access to the internet , when I open the logging in the first ASA I can see that the first ASA deny the second ASA by saying :

“%ASA-2-106017: Deny IP due to Land Attack from xx.xx.xx.66 to xx.xx.xx.66”

When I remove the second one and but my lap top with the same IP address I can connect to the internet but when I but the second ASA I can not, so I know there is a special configuration when you connect two ASA to work together.

So can any one help please?

Labels:
0 Helpful
6 Replies 6

emad.silicon
Level 1
Level 1

‎11-01-2007 12:12 PM

Any one can help please ?

0 Helpful

Fernando_Meza
Level 7
Level 7

‎11-01-2007 03:20 PM

Hi ...

Can you post your configs

0 Helpful

emad.silicon
Level 1
Level 1
In response to Fernando_Meza

‎11-02-2007 01:54 AM

Hi Fernado :

Here is my config , so hope you help friend.

Preview file
4 KB
0 Helpful

msosabar
Level 1
Level 1

‎11-02-2007 08:53 AM

Hi,

I tried to go trough the configurations but without IP addresses is difficult.

The syslog message 2-106017 means that The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems, please confirm that you don't have same IP addresses on the Firewalls and also include a permit icmp any any on line 1 of the access-list OUTSIDE_IN in the first ASA and then try to ping first the outside interface of the Secondary PIX, if that works, then try to ping 4.2.2.2 and turn on debug icmp trace on both firewalls and look at the output.

0 Helpful

emad.silicon
Level 1
Level 1
In response to msosabar

‎11-03-2007 03:30 AM

Hi Freind:

first of all thank you for your car and help

then I know what the message 2-106017 mean but i want to inform you that the IP i get in this message was the IP of secoand ASA-AntiX

so i know there is no spoof attack it just false positive alarm. But about the real IP address I can not give it ,you know friend there is so many People reading the site so I can not post my rewal IP even if I was secure my network very well. what ever thanx for your help friend.

0 Helpful

excession
Level 1
Level 1
In response to emad.silicon

‎11-04-2007 12:40 PM

Hi Emad,

I recommend using "packet-tracer" to trace a packet going through the ASA-AntiX, This will help by tracing what happens to the packet when it goes though the ASA.

I agree that without IP addresses this is hard to troubleshoot. Using "packet-tracer" may help you see the problem from your end. Details on this command may be found using command lookup tool. http://tools.cisco.com/Support/CLILookup/cltSearchAction.do?Application_ID=CLT&IndexId=IOS&IndexOptionId=123&SearchPhrase=%22*%22&Paging=25&ActionType=getCommandList&Bookmark=True

The example given in the command reference is hostname# packet-tracer input inside tcp 10.2.25.3 www 209.165.202.158 aol detailed

You will need to use something similar but replace IPs and specify the type of traffic you are experiencing problems with.

Let me know how you get on.

0 Helpful
Customers Also Viewed These Support Documents