Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA responds for networks that do not exist behind it

We have two infected hosts which were scanning our entire 10.224.x.x  networks.

The ASA firewall was responding to packets that were destined for networks that do not exist and are not configured behind it. 

All traffic destined for networks that do not exist are dumped to the inside interface of the firewall, but why does the ASA respond to those packets?  Shouldn’t it just drop them?

This is causing problems with our Sourcefire IDS/IPS because all 65k hosts in all the class C networks that were scanned were showing as being valid hosts, with the mac address of the ASA's inside interface.

This had us max out our Source Fire licensing.

Is there a setting on the ASA that prevents it from answering packets like this?


Here’s an example:

19:55:42.227815 IP 10.224.130.241.1131 > 10.227.62.4.445: Flags [S], seq 1131078073, win 65535, options [mss 1460,nop,nop,sackOK], length 0

19:55:42.228233 IP 10.227.62.4.445 > 10.224.130.241.1131: Flags [R.], seq 0, ack 1, win 65535, length 0 10.224.130.241 is a valid source, and 10.227.62.4 is not a valid destination.  Yet the firewall responded to the request.

3 REPLIES
Red

ASA responds for networks that do not exist behind it

Can you try this option:

ip verify reverse-path inside

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/i3.html#wp1878364

Hope that helps,

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA responds for networks that do not exist behind it

Thanks Varun, but I already had this command in use for my outside and inside interface.

I ended up opening a TAC Case and was informed that the ASA will always process the first packet then drop the connection. That is why it is showing up in the logs.

Red

ASA responds for networks that do not exist behind it

Glad your questions are answered.

Varun

Thanks, Varun Rao Security Team, Cisco TAC
240
Views
0
Helpful
3
Replies
CreatePlease to create content