×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

traffic hit subnet address

Unanswered Question
Nov 16th, 2010
User Badges:

When I looked at the log of our DMZ ASA, I found a lot of 443 traffic hit a subnet IP address, 1XX.XX.3.0 and the length is 24. I am just wondering, what traffic it can be?

Thanks,

Han

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Tue, 11/16/2010 - 12:13
User Badges:
  • Cisco Employee,

The are probably HTTPS session initiation (TCP SYN) packets, especially if the destination ip address was a http server.


What exactly did your logs show? Were they destined to the internal ip on that port?


I hope it helps.


PK

hanwucisco Tue, 11/16/2010 - 12:35
User Badges:
6Nov 16 201015:31:341061001XX.X.X.2125761XX.XX.3.0443access-list outside permitted tcp outside/1XX.X.X.21(2576) -> inside/1XX.XX.3.0(443) hit-cnt 1 first hit [0xbbc8eafa, 0x0]




Here you go,

thanks,

Panos Kampanakis Tue, 11/16/2010 - 12:59
User Badges:
  • Cisco Employee,

Is 1XX.XX.3.0 a subnet or a host for your internal network? Check what that ip translate to on the ASA.


But it seems like a HTTPS packet to 1XX.XX.3.0. You can capture it on the outside if you want using the capture command, just to make sure.


PK

Panos Kampanakis Tue, 11/16/2010 - 13:09
User Badges:
  • Cisco Employee,

Is your outside ACL allowing private ip packets?

Is this 8.3 and the ACL is allowing packets to the whole inside subnet?


PK

hanwucisco Tue, 11/16/2010 - 14:04
User Badges:

"Is your outside ACL allowing private ip packets?"===How can I know it?


"Is this 8.3" ====


Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53


"is the ACL is allowing packets to the whole inside subnet?"

What maks you think of this?


thanks,

Panos Kampanakis Tue, 11/16/2010 - 14:16
User Badges:
  • Cisco Employee,

I was suggesting to check if there is a rule that says "permit xxxx ".


PK

Actions

This Discussion