×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA responds for networks that do not exist behind it

Unanswered Question
Apr 24th, 2012
User Badges:

We have two infected hosts which were scanning our entire 10.224.x.x  networks.


The ASA firewall was responding to packets that were destined for networks that do not exist and are not configured behind it. 


All traffic destined for networks that do not exist are dumped to the inside interface of the firewall, but why does the ASA respond to those packets?  Shouldn’t it just drop them?


This is causing problems with our Sourcefire IDS/IPS because all 65k hosts in all the class C networks that were scanned were showing as being valid hosts, with the mac address of the ASA's inside interface.

This had us max out our Source Fire licensing.


Is there a setting on the ASA that prevents it from answering packets like this?



Here’s an example:


19:55:42.227815 IP 10.224.130.241.1131 > 10.227.62.4.445: Flags [S], seq 1131078073, win 65535, options [mss 1460,nop,nop,sackOK], length 0


19:55:42.228233 IP 10.227.62.4.445 > 10.224.130.241.1131: Flags [R.], seq 0, ack 1, win 65535, length 0 10.224.130.241 is a valid source, and 10.227.62.4 is not a valid destination.  Yet the firewall responded to the request.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cpiluk1 Wed, 04/25/2012 - 06:00
User Badges:

Thanks Varun, but I already had this command in use for my outside and inside interface.

I ended up opening a TAC Case and was informed that the ASA will always process the first packet then drop the connection. That is why it is showing up in the logs.

varrao Wed, 04/25/2012 - 06:07
User Badges:
  • Red, 2250 points or more

Glad your questions are answered.


Varun

Actions

This Discussion