topic Why is Layer-2-adjacent traffic from admin-PC to ASA logged as "Deny"? in Network Security

Why is Layer-2-adjacent traffic from admin-PC to ASA logged as "Deny"?

Corey Koellein — Sun, 15 May 2022 04:48:25 GMT

ASA 5506-X Very basic initial config.

Purpose is to firewall my server lab from my HOME-NET and the Internet.

ASA is on my HOME-NET 192.168.82.0.

PC is 192.168.82.99.

ASA HOME-NET (outside) interface is 192.168.82.100.

I am able to ASDM to the ASA on 192.168.82.100.

I bring up logging monitor.

I am seeing Deny messages generated by my ASDM session from my PC 192.168.82.99 to the ASA 192.168.82.100... even though they are in the same Layer-2 together, so the traffic is getting to the ASA just fine... I see my configuration changes happening successfully via the console session (show run). Why are the Deny messages there?

(6 May 15 2022 04:11:46 106015 192.168.82.99 1041 192.168.82.100 443 Deny TCP (no connection) from 192.168.82.99/1041 to 192.168.82.100/443 flags FIN ACK on interface HOME-NET)

How do I properly configure to get rid of them? There is no session (no connection) established, it says... I get that... but I tried creating a rule on the HOME-NET interface that explicitly allows .99 to talk to .100 via 443... wouldn't it then establish a sesh that could be "tracked" as an established session? How do I establish that connection to avoid this Deny from being triggered. I assume it is benign and can be ignored, but I'm trying to understand what/why its happening and if I can "properly" avoid it.

Re: Why is Layer-2-adjacent traffic from admin-PC to ASA logged as &qu

Sheraz.Salim — Sun, 15 May 2022 09:29:44 GMT

Interface HOME-NET has security-level 0 with IP address 192.168.82.100 and your PC is connected to this subnet with IP address 192.168.82.99. you have enable the https on HOME-NET to get acess the ASDM. your access-rule defined in the shown figure is to let the 192.168.82.99 to connect 192.168.82.100 port https(443)

looking into your logs106015 and 302014. the 302014 log entry is TCP Rset-O (Means that the HOME-NET host send a reset).The 106015 Deny TCP (no connection) FIN ACK on Interface HOME-NET.

so PC sent TCP Rest and ASA Acknowledge it and Finish the session.

you can set up the capture on HOME-NET interface to get more detail and download it on wireshark

capture HOME-NET interface HOME-NET match ip host 192.168.82.99 host 192.168.82.100

Re: Why is Layer-2-adjacent traffic from admin-PC to ASA logged as &qu

MHM Cisco World — Sun, 15 May 2022 11:32:35 GMT

http server enable

http x.x.x.x y.y.y.y outside <- are you config this ??

Re: Why is Layer-2-adjacent traffic from admin-PC to ASA logged as &qu

Marius Gunnerud — Sun, 15 May 2022 20:56:55 GMT

The ACL that you refer to in the screenshot is to allow THROUGH THE BOX traffic and not TO THE BOX traffic, so this will not have any effect on your ASDM connection.

The "no connection" log message usually indicates that there is asynchronous routing happening, but since the PC and ASA are on the same subnet it is a little strange that this is showing up. I don't suppose you have NAT configured for this connection as well?

Could you provide a complete running configuration of the ASA (remember to remove any public IPs and change or remove usernames and passwords)