This is probably just something else that I do not undrstand about the pix, but want to know what is going on. I am getting log message 305009 "Built static translation from inside: some-IP to outside: same-IP" from non-existant hosts and subnets. First assumption is that there might be some spoofing going on, but sniffing the link between our internal router and pix shows no traffic from this host. Is this a scan? If so, why is the static translation from inside to outside?
The "from" and "to" in this messgae don't indicate the direction the traffic as seen in (ie, the PIX didn't have to actually see traffic FROM some-IP). All this message is telling you is that the PIX created a translation in its internal table because it saw traffic from OR to this address. The message is indicating a translation was created from one interface to another, and the message will always say FROM the higher security interface TO the lower security interface, it's not telling you that it actually saw traffic from one interface to the other.
You must have a static command set up translating this IP address to itself between the inside and outside interfaces, so if the PIX sees traffic going to this address from the outside, or coming from this address on the inside, it'll have to create a translation for it and this message will be displayed.
Again, it doesn't signify the traffic direction, just that traffic is seen.
As for what it might be, quite possibly a scan of all available hosts on that subnet, quite possibly something completely harmless also. If it's a scan I'd expect to see one of these messages for every host on the subnet, if you don't see this then it may be something entirely different.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...