09-09-2015 03:32 PM - edited 02-21-2020 08:27 PM
I am trying to create a VPN access for IPSEC (full client access) and so far I am having trouble after I successfully connected.
The user can successfully login. Gets an IP addressed with the help of VPN address pool
and then the ASA is flooded with "Deny IP due Land Attack"
I understand that I should look into my NAT setup but honestly I don't get what is wrong with it. I am CISCO newbie so please be gentle.
VPN is setup on outside interface
inside10 interface is natted to outside for any source dest any destination
09-09-2015 04:43 PM
Can you provide the error message that you are getting along with your configuration?
09-09-2015 05:29 PM
09-09-2015 11:51 PM
do you need the belwo nat rule for the internet access from the vlan 10 interface or do you have any other requirement:
nat (inside10,outside) source dynamic NETWORK_OBJ_INSIDE10 interface
09-10-2015 01:48 AM
Well vlan10 is our desktop vlan and they should have internet access. Hence I think I need that nat rule.
09-10-2015 10:35 AM
can you apply a capture on the inside20 interface of the ASA:
capture cap interface inside20 match ip any any
and check if you see any traffic being sent out from the internal network to the ip address mentioned in the land attack syslog
try running a packet tracer as well for the same traffic that is captured
11-17-2015 11:05 AM
Update:
those messages went away when I corrected a mis-configuration for split VPN tunnel. After that was corrected no Land Attack messages anymore.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide