I have a ASA 5515X running 8.6 code
On my internal network, I have a couple subnets that connect through the ASA to the Internet. I also have DMZ with some servers on it that are reachable from the Internet.
These internal subnets are off different interfaces on the ASA, and my NAT rules are set up like this
object-group network DEFAULT-PAT-SOURCE
network-object object obj-172.25.36.30
network-object object obj-192.168.221.0
network-object object obj-172.23.120.250
nat (Guestnet,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
nat (NETWORK2,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
interface GigabitEthernet0/2
description Guestnet
nameif Guestnet
security-level 50
ip address 192.168.221.4 255.255.255.0
interface GigabitEthernet0/5
nameif NETWORK2
security-level 50
ip address 172.23.120.129 255.255.255.128
There is an ACL applied to the outside interface.
Periodically, I have had an issue where the outbound/inbound traffic slows to a crawl on the Guestnet network, and I see a weird message in the logs.
Jan 05 2015 07:30:40: %ASA-3-710003: TCP access denied by ACL from 192.168.221.51/52108 to Guestnet:<outside interface IP>/80
Jan 05 2015 07:30:40: %ASA-3-710003: TCP access denied by ACL from 192.168.221.51/52106 to Guestnet:<outside interface IP>/443
Why does the ASA think traffic is coming inbound from an IP that is on the internal network? (the Guestnet network). It is almost like a spoofing situation, but the IP 192.168.221.51 was my laptop IP I was testing from.
Is there something wrong with this configuration? What could be the issue?