Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
868
Views
0
Helpful
6
Replies

VPN IPSEC

hm_alexander1
Level 1
Level 1

‎09-09-2015 03:32 PM - edited ‎02-21-2020 08:27 PM

I am trying to create a VPN access for IPSEC (full client access) and so far I am having trouble after I successfully connected.

The user can successfully login. Gets an IP addressed with the help of VPN address pool

and then the ASA is flooded with "Deny IP due Land Attack" 

I understand that I should look into my NAT setup but honestly I don't get what is wrong with it. I am CISCO newbie so please be gentle.

VPN is setup on outside interface 

inside10 interface is natted to outside for  any source dest any destination

 

 

 

Labels:
0 Helpful
6 Replies 6

TarheelsRock1
Level 1
Level 1

‎09-09-2015 04:43 PM

Can you provide the error message that you are getting along with your configuration? 

0 Helpful

hm_alexander1
Level 1
Level 1
In response to TarheelsRock1

‎09-09-2015 05:29 PM

Error Message: 2    Sep 09 2015    20:29:04        10.50.50.10        10.50.50.10        Deny IP due to Land Attack from 10.50.50.10 to 10.50.50.10
 
 
: Hardware:   ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
: Written by enable_15 at 17:22:03.391 EDT Wed Sep 9 2015
!
ASA Version 9.5(1)
ip local pool VPN 10.50.50.10-10.50.50.100 mask 255.255.255.0
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 24.XXX.XX.XXX 255.255.255.252 
!
interface GigabitEthernet0/2.10
 description Desktop
 vlan 10
 nameif inside10
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2.20
 description Server
 vlan 20
 nameif inside20
 security-level 100
 ip address 10.20.20.1 255.255.255.0
!
interface GigabitEthernet0/2.30
 description WiFi
 vlan 30
 nameif inside30
 ip address 10.30.30.1 255.255.255.0
!
interface GigabitEthernet0/2.40
 description WiFi Guest
 vlan 40
 nameif inside40
 security-level 100
 ip address 10.40.40.1 255.255.255.0
!
interface GigabitEthernet0/2.50
 vlan 50
 nameif vpn50
 security-level 100
 ip address 10.50.50.1 255.255.255.0
same-security-traffic permit inter-interface 
nat (inside10,outside) source dynamic NETWORK_OBJ_INSIDE10 interface
nat (inside20,outside) source static any any destination static NETWORK_OBJ_10.50.50.0_25 NETWORK_OBJ_10.50.50.0_25 no-proxy-arp route-lookup
nat (inside20,outside) source dynamic any interface
nat (inside30,outside) source dynamic any interface
nat (inside40,outside) source dynamic any interface
nat (inside10,inside20) source static any any
nat (inside30,inside20) source static any any 
 
no vpn-addr-assign aaa
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local 
 
webvpn
 enable outside
 enable inside20
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 regex "Intel Mac OS X"
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2 regex "Windows NT"
 anyconnect enable
 error-recovery disable
 dns-server value 10.20.20.4
 vpn-idle-timeout 10
 vpn-session-timeout 120
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 default-domain value littlebrothers.org
 split-dns value littlebrothers.org
 split-tunnel-all-dns enable
 webvpn
  url-list value Inside
  anyconnect ask none default webvpn
dynamic-access-policy-record DfltAccessPolicy 
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN
 authentication-server-group LBFE-VPN
 dhcp-server 10.10.10.1
 dhcp-server 10.50.50.1
tunnel-group DefaultRAGroup webvpn-attributes
 group-alias DefaultRAGroup enable
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPN
 dhcp-server 10.10.10.1
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-alias DefaultWEBVPNGroup enable 
 
 
 
0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to hm_alexander1

‎09-09-2015 11:51 PM

do you need the belwo nat rule for the internet access from the vlan 10 interface or do you have any other requirement:

nat (inside10,outside) source dynamic NETWORK_OBJ_INSIDE10 interface

0 Helpful

hm_alexander1
Level 1
Level 1
In response to pjain2

‎09-10-2015 01:48 AM

Well vlan10 is our desktop vlan and they should have internet access. Hence I think I need that nat rule.

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to hm_alexander1

‎09-10-2015 10:35 AM

can you apply a capture on the inside20 interface of the ASA:

capture cap interface inside20 match ip any any

and check if you see any traffic being sent out from the internal network to the ip address mentioned in the land attack syslog

 

try running a packet tracer as well for the same traffic that is captured

0 Helpful

hm_alexander1
Level 1
Level 1

‎11-17-2015 11:05 AM

Update:

those messages went away when I corrected a mis-configuration for split VPN tunnel. After that was corrected no Land Attack messages anymore.

0 Helpful
Customers Also Viewed These Support Documents