I have been working on an issue for several days now, and I would like some input. I stubbled upon some strange traffic while setting up a sys log server for my ASA. I am recieving the following message:
%ASA-4-313005: No matching connection for ICMP error message: icmp src inside:22.214.171.124 dst inside:172.16.3.82 (type 3, code 13) on inside interface. Original IP payload: udp src 172.16.3.82/138 dst 172.16.3.255/138.
This message is showing the "foreign IP" of 126.96.36.199 sourced on the inside interface. I believe that a machine on our LAN is being spoofed with this address. The destination address of "172.16.3.82" is not a vaild address. We currently have no 172.16.3.0 network.
My first step to track down this machine or machines that is creating this traffic has been:
I have setup the 172.16.3.0 network on a Catalyst 3750 L3 switch. I have attached a machine with a 172.16.3.0/24 address and ran Wireshark in hopes to capture the packets in order to view the true source ip address? I have been unsuccessful in this approach.
Can anyone provide any suggestions?