We have two infected hosts which were scanning our entire 10.224.x.x networks.
The ASA firewall was responding to packets that were destined for networks that do not exist and are not configured behind it.
All traffic destined for networks that do not exist are dumped to the inside interface of the firewall, but why does the ASA respond to those packets? Shouldn’t it just drop them?
This is causing problems with our Sourcefire IDS/IPS because all 65k hosts in all the class C networks that were scanned were showing as being valid hosts, with the mac address of the ASA's inside interface.
This had us max out our Source Fire licensing.
Is there a setting on the ASA that prevents it from answering packets like this?
Here’s an example:
19:55:42.227815 IP 10.224.130.241.1131 > 10.227.62.4.445: Flags [S], seq 1131078073, win 65535, options [mss 1460,nop,nop,sackOK], length 0
19:55:42.228233 IP 10.227.62.4.445 > 10.224.130.241.1131: Flags [R.], seq 0, ack 1, win 65535, length 0 10.224.130.241 is a valid source, and 10.227.62.4 is not a valid destination. Yet the firewall responded to the request.