Firewall detect source and destination ip addresses not belonging to any subnet connected to the firewall
I faced a very strange situation where my firewall logs indicate there are traffic where both source and destination ip addresses does not belong to any subnet that my firewall is connected to. The source ip of these strange logs are attempting to access destination port tcp 80(http). Both the source and destination ip addresses are internet ip addresses and they are not part of the internet range of ip that i own. Between my firewall and the internet is my WAN router. My WAN router is connected to ISP via MPLS. I have verified there is no misconfiguration in terms of routing on my WAN router. Suppose the isp did routing misconfiguration, the strange packets should be dropped by my router. My WAN router is configured with WCCP which is meant to redirect http traffic back to my web proxy located behind my firewall. Hence did any of you faced such strange problems before and could it be due to some bugs with the WCCP? TIA!
Thk you for prompt response. The suspicious http traffic was received from the internet where source and destination ip are internet addresses not belonging to any subnet of my firewall. This traffic was denied by my firewall. THe suspicious traffic is received at the firewall segment facing the WAN router. Could spoofing still be possible in this case? By way my WAN router is a Cisco ASR 1004.
are you advertising your subnets to your ISP by some routing protocol (BGP, e.g.)?
In that case I could imagine some error on your side (advertising wrong subnet) could make the ISP to deliver you a traffic with a destination address which is not owned by you.
Usually, source address can be spoofed as a part of some attack.
But traffic with a wrong destination address should not be delivered to you!
As you are saying "My WAN router is configured with WCCP which is meant to redirect http traffic back to my web proxy located behind my firewall." which is something I don't 100% follow.
Should WCCP change the destination IP address of http packets? But still forward them to the FW?
My WCCP will not change the destination ip address of http packets. Clients accessing http will first go through the firewall then to my ASR which will then send the packets back to my proxy via WCCP after which the proxy will access the internet on behalf of the clients. I am advertising my subnet to ISP via BGP. Will reconfirm if wrong subnets are advertised to ISP but its unlikely as we only have one public subnet to advertise.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...