Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
424
Views
0
Helpful
3
Replies

ASA responds for networks that do not exist behind it

cpiluk1
Level 1
Level 1

‎04-24-2012 07:49 AM - edited ‎03-11-2019 03:57 PM

We have two infected hosts which were scanning our entire 10.224.x.x  networks.

The ASA firewall was responding to packets that were destined for networks that do not exist and are not configured behind it. 

All traffic destined for networks that do not exist are dumped to the inside interface of the firewall, but why does the ASA respond to those packets?  Shouldn’t it just drop them?

This is causing problems with our Sourcefire IDS/IPS because all 65k hosts in all the class C networks that were scanned were showing as being valid hosts, with the mac address of the ASA's inside interface.

This had us max out our Source Fire licensing.

Is there a setting on the ASA that prevents it from answering packets like this?


Here’s an example:

19:55:42.227815 IP 10.224.130.241.1131 > 10.227.62.4.445: Flags [S], seq 1131078073, win 65535, options [mss 1460,nop,nop,sackOK], length 0

19:55:42.228233 IP 10.227.62.4.445 > 10.224.130.241.1131: Flags [R.], seq 0, ack 1, win 65535, length 0 10.224.130.241 is a valid source, and 10.227.62.4 is not a valid destination.  Yet the firewall responded to the request.

Labels:
0 Helpful
3 Replies 3

varrao
Level 10
Level 10

‎04-24-2012 09:03 AM

Can you try this option:

ip verify reverse-path inside

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/i3.html#wp1878364

Hope that helps,

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

cpiluk1
Level 1
Level 1
In response to varrao

‎04-25-2012 06:00 AM

Thanks Varun, but I already had this command in use for my outside and inside interface.

I ended up opening a TAC Case and was informed that the ASA will always process the first packet then drop the connection. That is why it is showing up in the logs.

0 Helpful

varrao
Level 10
Level 10
In response to cpiluk1

‎04-25-2012 06:07 AM

Glad your questions are answered.

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card