Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
706
Views
0
Helpful
1
Replies

Critical Messages - shall I ignore them?

randallrathbun
Level 1
Level 1

ā€Ž02-23-2010 10:46 AM

Now that I have the ASA5505 up and running, the log buffer is filling up with critical level 2 messages, such as below:

2|Feb 23 2010|09:43:14|106001|207.46.236.175|173.8.218.60|Inbound TCP connection denied from 207.46.236.175/80 to 173.8.218.60/1719 flags PSH ACK  on interface outside
2|Feb 23 2010|09:30:34|106001|208.80.152.3|173.8.218.60|Inbound TCP connection denied from 208.80.152.3/80 to 173.8.218.60/1571 flags SYN ACK  on interface outside
2|Feb 23 2010|09:29:51|106001|65.54.95.161|173.8.218.60|Inbound TCP connection denied from 65.54.95.161/80 to 173.8.218.60/1586 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:51|106001|65.54.95.161|173.8.218.60|Inbound TCP connection denied from 65.54.95.161/80 to 173.8.218.60/1586 flags ACK  on interface outside
2|Feb 23 2010|09:29:50|106001|38.113.115.195|173.8.218.60|Inbound TCP connection denied from 38.113.115.195/80 to 173.8.218.60/1597 flags ACK  on interface outside
2|Feb 23 2010|09:29:50|106001|38.113.115.195|173.8.218.60|Inbound TCP connection denied from 38.113.115.195/80 to 173.8.218.60/1596 flags ACK  on interface outside
2|Feb 23 2010|09:29:50|106001|38.113.115.195|173.8.218.60|Inbound TCP connection denied from 38.113.115.195/80 to 173.8.218.60/1595 flags ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1579 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1579 flags ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1578 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1578 flags ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1577 flags PSH ACK  on interface outside
2|Feb 23 2010|09:29:49|106001|196.30.168.79|173.8.218.60|Inbound TCP connection denied from 196.30.168.79/80 to 173.8.218.60/1577 flags ACK  on interface outside

I did find out that 196.30.168.79 is from South Africa (if we believe that the IP inside the packet is unaltered and correct)

Shall I ignore these types of messages, or are they suggesting that I need more security policies in the "outside" interface VLAN 1?

I don't know whether to wring my hands or pat the ASA5505 on the back.

Any security gurus with some suggestions?

Randall

Labels:
0 Helpful
1 Reply 1

Federico Coto Fajardo
VIP Alumni
VIP Alumni

ā€Ž02-25-2010 08:29 AM

Hi,

All seems to be connections inbound connections coming from port 80. This could be web servers responses to requests from the inside.

Do you see doing a ''sh loc internal_IP''  to see if the connections are valid web connections initiated from the inside the ASA?

Federico.

0 Helpful
Customers Also Viewed These Support Documents