traffic hit subnet address

hanwucisco · ‎11-16-2010

When I looked at the log of our DMZ ASA, I found a lot of 443 traffic hit a subnet IP address, 1XX.XX.3.0 and the length is 24. I am just wondering, what traffic it can be?

Thanks,

Han

Panos Kampanakis · ‎11-16-2010

The are probably HTTPS session initiation (TCP SYN) packets, especially if the destination ip address was a http server.

What exactly did your logs show? Were they destined to the internal ip on that port?

I hope it helps.

PK

hanwucisco · ‎11-16-2010

6

Nov 16 2010

15:31:34

106100

1XX.X.X.21

2576

1XX.XX.3.0

443

access-list outside permitted tcp outside/1XX.X.X.21(2576) -> inside/1XX.XX.3.0(443) hit-cnt 1 first hit [0xbbc8eafa, 0x0]

Here you go,

thanks,

Panos Kampanakis · ‎11-16-2010

Is 1XX.XX.3.0 a subnet or a host for your internal network? Check what that ip translate to on the ASA.

But it seems like a HTTPS packet to 1XX.XX.3.0. You can capture it on the outside if you want using the capture command, just to make sure.

PK

hanwucisco · ‎11-16-2010

It is a subnet.

Panos Kampanakis · ‎11-16-2010

Is your outside ACL allowing private ip packets?

Is this 8.3 and the ACL is allowing packets to the whole inside subnet?

PK

hanwucisco · ‎11-16-2010

"Is your outside ACL allowing private ip packets?"===How can I know it?

"Is this 8.3" ====

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53

"is the ACL is allowing packets to the whole inside subnet?"

What maks you think of this?

thanks,

Panos Kampanakis · ‎11-16-2010

I was suggesting to check if there is a rule that says "permit xxxx ".

PK