ASA5540 with a SSM20 and seeing 192.168.0.X addresses

rolandshum · ‎02-07-2008

On my SSM-20 I'm seeing a lot of traffic from a 192.168.0.X address. Obviously it's a scanner of some sort. I'm curious as to why the packet is even being passed to the SSM by the ASA. The ASA should be getting it from the "outside" interface and dropping it. I'm surprised it even gets as far as the SSM. Do I have a misconception on how the ASA handles this type of traffic? The ports are 0 for both the source and destination address.

abinjola · ‎02-12-2008

hmm.. the source 192.168.x.x seems a private range..is this traffic hitting from inside interface ? if yes then its normal for ASA to pass it on to the SSM module where it will be eventually dropped, however there is no way firewall would allow this packet from outside interface..can you set packet captures to determine this

which code on ASA ?

rolandshum · ‎02-14-2008

I'm on 7.2(2) with the ASA and 6.0.2 for the SSM. It is certainly coming in from the outside. I don't have that address range on the inside of my network. I'm just surprised that the ASA is even passing it on to the SSM before it is dropped.

abinjola · ‎02-16-2008

can you paste here what kind of traffic

do you see any connection entry or xlate entry for it ?

sh conn detail | inc

sh xlate detail | inc