Deny inbound UDP flood

We are receiving thousands of "Deny inbound UDP from x.x.x.x/53 to x.x.x.x/2713 due to DNS Response" per minute on our ASA 5510. All of the responses are destined to a signal one of our external IP's. This is overloading the our ASA and preventing traffic getting out to the Internet during these attacks. Anyone have any suggestions as to what we can do to mitigate this problem? Thanks

If this really is an attack then allowing the traffic into your network is not the correct action!
How is the problem manifesting itself? If the outbound link is being saturated with traffic then talk to your ISP
If you think the volume of syslog messages on your ASA is causing a performance problem, then you can configure the message ID to appear at a higher syslog level so that it does not appear at your current logging level. Obviously this would be in effect for all messages of this type so you may not be aware of similar attacks taking place.
Talk to your ISP :)
cheers,
Seb.

Similar Messages

UDP FLOODING and NON-FUNCTIONAL INBOUND LOG

Hello,
I have been using Linksys Routers since 1998, IIRC. I just bought a new "Cisco" (LINKSYS) E1200 and
the INBOUND log does not work, even after activation the log function in the "Administration" area. The
OUTBOUND log works.
Also, my desktop workstation (a Dell T3500 running XP SP3) is being flooded with inbound UDP on
port 1900, which is usually used for Universal Pllug and Play.
HOWEVER, I have all of that that can be disabled, disabled. The router works fine as a DHCP server
but I do have the problems described. It even allows ICMP through sometimes as well as NetBios
name requests on incoming UDP port 137. Netbios is deactivatived on my computer on port 139
as well a SMB on TCP port 445 (via a registry configuration). Nothing is listening on any ports except
TCP port 44334. (that's my software firewall).
I know the inbound log is not working because I have had my ports scanned and nothing shows up
in the inbound log, TCP or UDP or ICMP. I know the outboung log (which is very small) works because
I see the IP addresses in the outbound log. (please see the attachment)
How do I fix the problems?

That router has been out a long time now, since 2011 I think. As a home router it works pretty well for the basic stuff but it seems to me that all the "home" routers are a little hit or miss on how they handle more specific things like what you are taking about. I would see if it has the latest firmware installed on it. That may possibly clear up some of it. If not you may want to contact linksyscares and see if they can help you. I wish cisco was still building these but since they sold this line to Belkin the quality seems to have suffered in my opinion. Hopefully it will improve over time

Deny inbound (no xlate)

I have a problem with a fwsm on a 6509. I am on vlan1 and I want to ping a pc on vlan2. I find this error :
Deny inbound (No xlate) icmp src Vlan2:x.x.x.x dst Vlan2:y.y.y.y (type 8, code 0)
If I ping another pc on the vlan2 I don't have any problem. I know this error occurs because fwsm doesn't permit traffic when src and dst are on the same vlan. My question is: why does firewall see my pc on vlan2 even if my pc is on vlan1?
There is a NAT exemption rule from vlan1 to vlan2.
Thanks!

I think type 8 code 0 are caused by the nachi worm.
Better try this ACL in your device.
access-list acl-in deny tcp any any eq 4444
access-list acl-in deny tcp any any eq 135
access-list acl-in deny udp any any eq 135
access-list acl-in deny udp any any eq 69
access-list acl-in deny icmp any any
access-list acl-in permit ip any any
access-group acl-in in interface inside

UDP Flood to Host when iPhone connected to WiFi

Have been bothered with this issue for weeks now and finally decided to ask for help. Any suggestion is highly appreciated.
When my iPhone (and my wife's) are connected to the home (WiFi) network, there's a seemingly random amount of UDP Flood to Host errors in my router's security log, at random times. Because of this, the router goes into 300 sec lock-down, wherefore obviously no internet.
Using iPhone console and my router's security log doesn't provide any clear insight on what app or other configuration on the iPhone triggers this. It even happens at night when both we and our phones are supposed to be asleep. There is a slight pattern noticable when in 80% of the cases the UDP Flood is preceded by a "Sending ACK" to my iPhone.
I'm quite certain it's related to the iPhone. E.g. this morning I kept my WiFi on the phone switched off and used the internet on my notebook non-stop without any problem. The moment I turn on WiFi on my iPhone this happens:
01/02/2011 15:22:31 **UDP Flood to Host** 86.89.201.51, 32768->> 195.121.1.66, 53 (from ATM1 Outbound)
01/02/2011 15:22:31 **UDP Flood to Host** 86.89.201.51, 32768->> 195.121.1.34, 53 (from ATM1 Outbound)
01/02/2011 15:16:27 **UDP Flood to Host** 86.89.201.51, 32768->> 195.121.1.66, 53 (from ATM1 Outbound)
01/02/2011 15:16:27 **UDP Flood to Host** 86.89.201.51, 32768->> 195.121.1.34, 53 (from ATM1 Outbound)
Additional info: iPhone is iOS 4.2.1, router is Sitecom WL-304 with latest firmware installed and firewall activated. The 195.121.1.34 and .66 IP's are the DNS servers of my provider. And that it is ALWAYS port 32768. Nevertheless when I scan for action on this port using a variety of port checkers, they all say it's closed/not listening, safe, etc.
Message was edited by: Arjen Bos

I seem to be having the exactly the same problem.
I have iPhone 4, my daughter a touch, also we have iPad as well as three wireless laptops, one wii, two ps3's all connecting wirelessly to the router - Philips sna6500. Not of course all are using the system at once!
Everything was all fine until about two - three weeks ago. Apart from us adding a ps3 to the mix in the last week, I've not changed anything.
So having read a few things, I reset the router and then slowly turning things onto to connect. As soon as used iPhone 4 it caused this udp flood statement in my security log
**UDP Flood to Host** 95.148.173.9, 32768->>193.36.79.100, 53 (from ATM1 Outbound)
Having read the reply to the earlier you can see it's the same DNS 53.
What's also made me think is I visited relatives over Christmas and my iPhone kept on dropping the connection.
So I think there is an app or recent update that's causing this problem.
Since turning off the iPhone connection to the wireless at home, it's not throwing up this error and I'm not getting access problems from my other wireless devices.
So is it my iPhone or router at fault?
Any ideas on what apps could be causing this?
If factory reset, potentially it would get rid of problem but I have to rebuild my phone again. If I backup and restore, it will restore all. So would it be your recommendation be to sync to iTunes, screen shoot all home pages on iPhone so know what specifically on my phone, and remove all non-apps, then slow add them back on, of course making sure the base system works ok.
Steve

Traceroute "Deny inbound icmp"

Hi,
I'm having difficulties with getting traceroute to work from inside to outside. Regular pings work fine, but not traceroute. I thought the icmp inspection would allow alll icmp traffic, I have icmp inspection on globally as well as inside interface.
Commands:
policy-map global_policy-map
class global_class-map
inspect icmp
inspect icmp error
policy-map inside_policy-map
class inside_class-map
inspect icmp
inspect icmp error
service-policy global_policy-map global
service-policy inside_policy-map interface inside
icmp permit any outside
Here is the output:
On the Real-Time Log Viewer:
3
Deny inbound icmp src outside:4.69.150.77 dst inside:10.0.1.68 (type 11, code 0)
Thanks for your help
Delmiro

Hello Delmiro,
Amazing to hear that I could help someone else
Let me explain you this:
ICMP inspection : This command will convert the ICMP protocol into a stateful protocol but it will work with the basic icmp echo and echo reply , it will check the ICMP ID and place it into it's stateful table waiting for a reply...
In our scenario we are sending from a windows machine ICMP echo paquets with a TTL of 1 and keeps growing as it keeps moving BUT the reply will be an ICMP unreachable which the ASA will not be expecting then dropping it..
Hope that you could understand, if you do not have any other question please mark it as answered
If not let me know an I will do it one more time
Remember to rate all of the helpful posts ( by marking the stars at the left 5 being amazing 1 being the worst answer ever )
Regards,

UDP Flooding, ip forward-protocol, and service dhcp

I've been reading up on how IOS routers handle DHCP using the "ip helper-address" command and ran across a few different terms / commands that I need help clarifying.
I've found that "ip forward-protocol" is enabled by default for many services, and bootps is enabled by default.
Then there's "service dhcp" which enables the DHCP relay service.
I also see the term "UDP Flooding" mentioned in several places, but can't find any specifics on what this entails.
Can someone please explain how "ip forward-protocol", "service dhcp", and "UDP Flooding" are different, how they interact, etc?
Thanks!
-Mason

When configuring the ip helper-address command, the following broadcast packets will be forwarded by the router by default:
TFTP - port 69
Domain Name System (DNS) - port 53
Time service - port 37
NetBIOS Name Server - port 137
NetBIOS Datagram Server - port 138
Bootstrap Protocol (BOOTP) - port 67
TACACS - port 49
f you do not want all the defaults to be forwarded, issue the no ip forward-protocol command to disable the port from being forwarded by the router, as shown in this example:
router#(config-if)ip helper-address x.x.x.x
router#(config)no ip forward-protocol udp tftpWith these commands, all default User Datagram Protocol (UDP) broadcasts except TFTP broadcasts are forwarded by the router.
Configure the no ip forward-protocol command separately for each port to prevent the port from forwarding the broadcast packets by the router.

Cisco FWSM 'deny inbound' error in ASDM

Hello
We have an explicit rule allowing inbound traffic, however it recently stopped working. The rule is still in place but we get a Deny message in the logs and the traffic does not pass. Would NAT have an affect on this? Someone changed the NAT from Static to Dynamic recently and I'm wondering if that might have broken something. Please let me know what further info you need.
Thanks
Amy

NAT could very well be the issue here if it has been changed.
You could check by running a packet tracer on the ASA from any public IP (4.2.2.2 for example) to the public IP of the server you are trying to reach. Make sure that the source port is a random hight port (I normally use 12345) and make sure you specify the server port which is being used to access the server (for example, port 80 for webservers).
packet-tracer input outside tcp 4.2.2.2 12345 <public IP of server> <port> detail
Please remember to select a correct answer and rate helpful posts

ASA 5510 denying local DNS Query

I have a ASA5510 ASA v7.0.8 in routed firewall mode. It is setup as the internal router and default gateway.
I was asked to set up a wireless router, I chose a D-Link DIR-815 (we are a small buisiness).
I have it all set up but I cannot get any name resolution.
The firewall is blocking traffic that is all internal. To clarify, it is only blocking the DNS traffic from the D-Link wireless router, the rest of the network operates just fine.
the message in the ASA log is like the following:
Deny inbound UDP from 192.168.1.246/xxxx to 192.168.1.10/53 due to DNS Query.
.246 being the "WAN" port my wireless router and .10 being my DNS server.
I tried adding an ACL "access-list dns extended permit udp any eq 53 any" but this didn't help.
Any ideas? Thanks.

To let anyone know, if I take the same IP settings from the wireless router WAN port and put them on the LAN settings and use it like an AP it all works just fine.

Cisco ASA 5505 Blocking LAN Domain Queries

Hi guys,
Okay my scenario, datacentre hosted system with 4 servers connected to a CISCO ASA5505, everything was working fine with 4x windows server 2003 machines but since pulling 2 out and replacing them with windows server 2008 machines i get a flood of the error below and it blocks communications back to the IP listed which is the domain controller so naturally this makes the 2 new servers unusable.
1: they are all connected to the inside VLAN directly via the ASA's switch ports.
2: the are all in the same 255.255.255.0 subnet including the ASA inside interface
3: removing the gateway on the affected machines makes no difference the ASA continues to block it which indicates whether or not the machines use the asa as a gateway its inspecting the traffic and blocking
I have posted the error below and my config, its strange its only affecting the new server 2008 machines and im hoping you can offer suggestions.
Errors:
2 Dec 08 2012 12:02:41 106007 10.50.15.117 55068 DNS Deny inbound UDP from 10.50.15.117/55068 to 10.50.15.5/53 due to DNS Query
Result of the command: "show run"
: Saved
ASA Version 8.2(1)
hostname xxxxx-ASA5505
domain-name xxx.local
enable password
passwd
names
name 10.50.17.0 Hobart description Hobart
name 10.50.16.0 Launceston description Launceston
name 10.50.18.0 Burnie description Burnie
name 10.50.24.0 Devonport description Devonport
name 10.50.23.0 burniewilmot description burniewilmot
name 10.50.35.0 Warrnamboolmain description warrnamboolmain
name 10.50.30.0 hamilton description hamilton
name 10.50.20.0 Portland description Portland
name 10.50.31.0 Camperdown description Camperdown
name 10.50.32.0 wboolsh description wboolsh
name 10.50.33.0 wblthy description wblthy
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address 10.50.15.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 111.223.228.154 255.255.255.248
interface Vlan5
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name xxx.local
object-group service IpPrinting tcp
port-object eq 9100
object-group icmp-type icmp
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
object-group network dns_servers
network-object host 10.50.15.5
object-group service domain udp
port-object eq domain
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in extended permit udp any any object-group domain
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq smtp
access-list outside_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq www
access-list vpnusers_splitTunnelAcl standard permit 111.223.231.120 255.255.255.248
access-list inside_nat0_outbound extended permit ip 111.223.231.120 255.255.255.248 14.0.0.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 111.223.231.120 255.255.255.248 111.223.228.152 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 111.223.228.152 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Warrnamboolmain 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Launceston 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 14.0.0.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Burnie 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Devonport 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 burniewilmot 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 hamilton 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Portland 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Camperdown 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 wboolsh 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 wblthy 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 10.50.15.0 255.255.255.0 Launceston 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Burnie 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
access-list outside_4_cryptomap extended permit ip 10.50.15.0 255.255.255.0 burniewilmot 255.255.255.0
access-list outside_5_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Warrnamboolmain 255.255.255.0
access-list outside_6_cryptomap extended permit ip 10.50.15.0 255.255.255.0 hamilton 255.255.255.0
access-list outside_7_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Portland 255.255.255.0
access-list outside_8_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Camperdown 255.255.255.0
access-list outside_9_cryptomap extended permit ip 10.50.15.0 255.255.255.0 wboolsh 255.255.255.0
access-list outside_10_cryptomap extended permit ip 10.50.15.0 255.255.255.0 wblthy 255.255.255.0
access-list dmz_access_in extended permit tcp any interface outside eq www inactive
access-list dmz_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq smtp
pager lines 24
logging enable
logging asdm warnings
mtu inside 1300
mtu outside 1300
mtu dmz 1500
ip local pool vpnclient 14.0.0.1-14.0.0.15 mask 255.0.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.50.15.0 255.255.255.0
static (outside,inside) tcp 10.50.15.5 www 0.0.0.0 www netmask 255.255.255.255
static (inside,outside) tcp interface www 10.50.15.5 www netmask 255.255.255.255 dns
static (inside,outside) tcp interface smtp 10.50.15.5 smtp netmask 255.255.255.255 dns
static (inside,inside) 10.50.15.0 255.255.255.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 111.223.228.153 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
rd DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.50.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 58.96.86.56
crypto map outside_map 1 set transform-set esp-des-sha
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 1 match address outside_1_cryptomap_1
crypto map outside_map0 1 set peer 59.167.207.106
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 2 match address outside_2_cryptomap
crypto map outside_map0 2 set peer 59.167.204.53
crypto map outside_map0 2 set transform-set ESP-3DES-SHA
crypto map outside_map0 3 match address outside_3_cryptomap
crypto map outside_map0 3 set pfs
crypto map outside_map0 3 set peer 203.45.159.34
crypto map outside_map0 3 set transform-set ESP-3DES-SHA
crypto map outside_map0 4 match address outside_4_cryptomap
crypto map outside_map0 4 set peer 203.45.134.39
crypto map outside_map0 4 set transform-set ESP-3DES-SHA
crypto map outside_map0 5 match address outside_5_cryptomap
crypto map outside_map0 5 set peer 58.96.75.47
crypto map outside_map0 5 set transform-set ESP-3DES-SHA
crypto map outside_map0 6 match address outside_6_cryptomap
crypto map outside_map0 6 set peer 58.96.85.151
crypto map outside_map0 6 set transform-set ESP-3DES-SHA
crypto map outside_map0 7 match address outside_7_cryptomap
crypto map outside_map0 7 set peer 58.96.78.238
crypto map outside_map0 7 set transform-set ESP-3DES-SHA
crypto map outside_map0 8 match address outside_8_cryptomap
crypto map outside_map0 8 set peer 58.96.69.82
crypto map outside_map0 8 set transform-set ESP-3DES-SHA
crypto map outside_map0 9 match address outside_9_cryptomap
crypto map outside_map0 9 set peer 58.96.83.244
crypto map outside_map0 9 set transform-set ESP-3DES-SHA
crypto map outside_map0 10 match address outside_10_cryptomap
crypto map outside_map0 10 set peer 58.96.80.122
crypto map outside_map0 10 set transform-set ESP-3DES-SHA
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.50.15.50-10.50.15.55 inside
dhcpd dns 10.50.15.5 interface inside
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 130.194.10.150
webvpn
group-policy xxx internal
group-policy xxx attributes
dns-server value 10.50.15.5
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
dhcp-network-scope 14.0.0.0
vpn-tunnel-protocol IPSec webvpn
ipv6-address-pools none
group-policy vpnusers internal
group-policy vpnusers attributes
dns-server value 10.50.15.5 139.130.4.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnusers_splitTunnelAcl
username aspireremote password
username aspireremote attributes
service-type remote-access
username richard.lawes password
username netscreen password
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
address-pool (outside) vpnclient
address-pool vpnclient
default-group-policy GroupPolicy1
dhcp-server 192.168.0.5
tunnel-group TunnelGroup1 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group vpnusers type remote-access
tunnel-group vpnusers general-attributes
address-pool vpnclient
default-group-policy vpnusers
tunnel-group vpnusers ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 59.167.207.106 type ipsec-l2l
tunnel-group 59.167.207.106 ipsec-attributes
pre-shared-key *
tunnel-group aspirevpn type remote-access
tunnel-group aspirevpn general-attributes
address-pool vpnclient
default-group-policy xxxvpn
tunnel-group xxxvpn ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 59.167.204.53 type ipsec-l2l
tunnel-group 59.167.204.53 ipsec-attributes
pre-shared-key *
tunnel-group 203.45.159.34 type ipsec-l2l
tunnel-group 203.45.159.34 ipsec-attributes
pre-shared-key *
tunnel-group 203.45.134.39 type ipsec-l2l
tunnel-group 203.45.134.39 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.75.47 type ipsec-l2l
tunnel-group 58.96.75.47 ipsec-attributes
pre-shared-key *
tunnel-group 58.96.85.151 type ipsec-l2l
tunnel-group 58.96.85.151 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.78.238 type ipsec-l2l
tunnel-group 58.96.78.238 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.69.82 type ipsec-l2l
tunnel-group 58.96.69.82 ipsec-attributes
pre-shared-key *
tunnel-group 58.96.83.244 type ipsec-l2l
tunnel-group 58.96.83.244 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.80.122 type ipsec-l2l
tunnel-group 58.96.80.122 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
prompt hostname context

Hello Richard,
My first though is why is the ASA receiving this traffic is this is traffic that should not reach the default-gateway.
Anyway try the following
same-security-traffic permit intra-interface
Let me know how it goes
Julio

ASA5505 - Blocking internal traffic between 2 servers

Hi guys/ladies
I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
2
Oct 27 2012
14:51:05
106007
10.50.15.6
55978
DNS
Deny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query
What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
Any idea why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
Any help you can give would be great as this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.

Result of the command: "show cap asp | include 10.50.15.6"
15: 10:09:21.796849 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389: udp 163
16: 10:09:22.189153 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389: udp 163 Drop-reason: (acl-drop) Flow is denied by configured rule
17: 10:09:22.596252 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
18: 10:09:23.625913 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
19: 10:09:24.625227 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
20: 10:09:26.635236 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86
25: 10:09:30.653500 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86
27: 10:09:34.655025 802.1Q vlan#1 P0 10.50.15.6.137 > 10.50.15.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
28: 10:09:34.655071 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.255.138: udp 237
29: 10:09:34.655193 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.5.138: udp 237 Drop-reason: (acl-drop) Flow is denied by configured rule
30: 10:09:34.764700 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
31: 10:09:34.899337 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
32: 10:09:35.901946 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
33: 10:09:36.915937 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
34: 10:09:37.773916 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
35: 10:09:38.942715 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
37: 10:09:42.937695 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
38: 10:09:43.788579 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
41: 10:09:55.803608 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
42: 10:09:56.814166 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
43: 10:09:57.820804 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule

Send email notification from ASA

Hello,
I'm trying to send e-mail notifications from Cisco ASA when a vpn, session, config events have occurred. My config is:
logging enable
logging timestamp
logging list email_notification level notifications class auth
logging list email_notification level notifications class config
logging list email_notification level notifications class session
logging list email_notification message 713049
logging list email_notification message 713050
logging buffered informational
logging asdm informational
logging mail email_notification
logging from-address [email protected]
logging recipient-address [email protected] level notifications
logging host Inside 10.10.XX.2 6/34003
logging permit-hostdown
but I'm receiving non expected message like:
<162>Aug 09 2012 11:41:51: %ASA-2-106006: Deny inbound UDP from 10.10.107.79/50258 to 10.2.107.54/161 on interface Inside
and I'm getting my mailbox full with about 600 emails per 10 min.
version:
Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)
Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"
FW-INT-01 up 107 days 10 hours
failover cluster up 107 days 10 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
please help
best regards,
Alcides Miguel

Hi Bro
You could refer to this URL https://supportforums.cisco.com/message/3686071#3686071

WAE and WCCP mismatch

Hello,
I seem to be having a lot of trouble with a very simple implementation. I have 2 routers and a data centre WAE via WCCP. These devices are on the same L2/L3 segment (x.x.x.0/24). The WAN interfaces on the routers are in different networks. The remote WAE is inline. I configured ip wccp 61 redirect in on the LAN interface of each router and ip wccp 62 redirect in on the WAN interface of each router. I get the alarm "WCCP router x.x.x.1(LAN) unusable for service id:61 reason redirection mismatch with router" and "WCCP router x.x.x.1(LAN) unusable for service id:62 reason redirection mismatch with router". For the WAN interfaces I get the alarm they are unreachable for the service ID.
Snadard router config
ip wccp version 2
ip wccp 61
ip wccp 62
int gi0/0
description LAN
ip address x.x.x.1
ip wccp 61 redirect in
int gi0/1
description WAN
ip address y.y.y.1
ip wccp 62 redirect in
Should I only be trapping inbound traffic on the LAN interface ?
The other thing I noticed was these messages from the PIX on the same L2/L3 segment
Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER1/2048 on interface outside
Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER2/2048 on interface outside
Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER1/2048 on interface outside
Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER2/2048 on interface outside
Access list
access-list outside_access_in extended permit udp host WADMZJA02 host IROUTER1 log notifications
access-list outside_access_in extended permit udp host WADMZJA02 host IROUTER2 log notifications
access-list outside_access_in extended permit udp host IROUTER1 host WADMZJA02 log notifications
access-list outside_access_in extended permit udp host IROUTER2 host WADMZJA02 log notifications
Best regards
Stephen
WAE config
sh run
2011 Dec 20 07:06:27 WADMZJA02 -admin-shell: %WAAS-PARSER-6-350232: CLI_LOG log_cli_command: sh run
! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010)
device mode application-accelerator
hostname WADMZJA02
clock timezone Europe/Brussels 1 0
ip domain-name fibe.fortis
primary-interface GigabitEthernet 1/0
interface GigabitEthernet 1/0
ip address x.x.x.248 255.255.255.0
exit
interface GigabitEthernet 2/0
shutdown
exit
ip default-gateway x.x.x.4 <== firewall
no auto-register enable
! ip path-mtu-discovery is disabled in WAAS by default
! <== traffic to be rerouted outbound ==>
ip route a.a.a.0 255.255.255.0 x.x.x.1 <== Outbound HSRP
ip access-list extended HK
permit ip any 0.0.0.0 255.255.255.0
exit
logging console enable
logging console priority debug
interception access-list HKWAAS
wccp router-list 1 z.z.z.202 y.y.y.122 x.x.x.1 x.x.x.2 x.x.x.3
wccp tcp-promiscuous router-list-num 1 hash-source-ip hash-destination-ip l2-redirect l2-return
wccp version 2
egress-method negotiated-return intercept-method wccp
ip icmp rate-limit unreachable df 0
directed-mode enable
transaction-logs flow enable
--More--
! [K
inetd enable rcp
sshd allow-non-admin-users
sshd enable
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
accelerator http metadatacache enable
accelerator http metadatacache https enable
accelerator http dre-hints enable
central-manager address x.x.x.247
cms enable
! End of WAAS configuration

Hi Stephen,
The "Redirection mismatch" messages indicate that the redirection or return method configured on the WAE is not compatible with the router. Probably, the routers you are using don't support L2 redirection
Moving forward, I would recommend you to change the line "wccp tcp-promiscuous router-list-num 1 hash-source-ip hash-destination-ip l2-redirect l2-return" for "wccp tcp-promiscuous router-list-num 1". This will negotiate hash assignment, as well as GRE redirection and return, which are the parameters supported by most platforms.
As for the firewall messages, it seems that some WCCP negotiation packets (UDP port 2048) are being dropped. Unfortunately, my firewall knowledge is very limited, so I cannot really help you with that part.
Regards
Daniel

DNS response traffic getting dropped

We have a FWSM running 3.2 IOS in a cat 6509
Clients and server conducting queries against MS 2003 AD servers running DNS are having problems, and in the syslog I see messages like
Deny inbound UDP from 172.25.59.106/53 to 172.25.55.11/56465 due to DNS Response
UDP 53 is allowed from the subnets into the subnets/vlans where the DNS servers reside, and
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
has been enabled (the vlans have the same security level).
I have also attempted to turn off DNS inspection in the global policy (no inspect dns)
Nevertheless, these errors persist. Anyone have any ideas?

David,
The RFC states and Cisco obliges that DNS responses should be less than 512Bytes. The Firewall will drop any DNS response over 512bytes, unles sthe size is increased. The changes to DNS for DNSSEC means that the 512byte limit is often exceeded.
http://www.cisco.com/web/about/security/intelligence/dnssec.html
Obviously, turning inspect off would negate the need for this command. Based on me missing that part of his post altogether. In which case its probably worth disabling DNS-GUARD..
Regards
Ju

IDSM Blocking, UDP Host Flood signature

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi,
I configured IDSM/Blocking feature for preventing DoS attack. I used ICMP flood and UDP Host Flood signature. These signature actions have been set to produce alert and request block host. I use packit tool for test. ICMP signature detects icmp flooding and blocking is done successfully but UDP Host Flood signature does not detect udp flooding. I repeat test scenario with different values for “Rate” but none of them detect flooding.
Is there specific setting for UDP Host Flood signature or for Net Flood UDP.
Thanks,
Hedye

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi,
I configured IDSM/Blocking feature for preventing DoS attack. I used ICMP flood and UDP Host Flood signature. These signature actions have been set to produce alert and request block host. I use packit tool for test. ICMP signature detects icmp flooding and blocking is done successfully but UDP Host Flood signature does not detect udp flooding. I repeat test scenario with different values for “Rate” but none of them detect flooding.
Is there specific setting for UDP Host Flood signature or for Net Flood UDP.
Thanks,
Hedye

Smtp; 551 5.7.1 relaying denied - new secondary domain does not receive email from internet

Exchange 2007 smpt error "smtp; 551 5.7.1 relaying denied" Inbound email sender gets this error when trying to send to secondary domain. This is a single server exchange setup.
Here is what we have done:
#1 We have added a new policy for the new domain and also added the new domain to my default policy. ( Result are the same whether it is in the default policy or not)
#2 I also set the new domain as Accepted domain and as Authoritative.
#3 The mailbox I am sending to has the new domain email address and the address follows the selected conventions in the policy.
#4 I have the mx record in dns and verified that using the online MXToolbox.
#5 I can telnet to the new domain mx record on port 25 and the smtp banner comes up as expected. The result and banner are the same when telneting to the primary domain.
If I send from my primary exchange domain to the new domain the mail goes through. When I reply back it also works.
What setting am i missing here? I need to get Exchange 2007 to accept inbound email from the internet.
Thx
Scot

Hi Scot,
In addition to Rich's suggestion, I would like to clarify the following thing:
If you have a relay, please ensure that you add the secondary domain to mail relay server.
What's more, here is a thread for your reference.
external senders 550 5.7.1 relaying denied
http://social.technet.microsoft.com/Forums/exchange/en-US/416ed3e3-a346-4794-ba2a-c53086f704b0/external-senders-550-571-relaying-denied-exchange-2010?forum=exchangesvrsecuremessaginglegacy
Hope it helps.
If there are any problems, please feel free to let me know.
Best regards,
Amy
Amy Wang
TechNet Community Support

Deny inbound UDP flood

Similar Messages

Maybe you are looking for