04-24-2012 07:49 AM - edited 03-11-2019 03:57 PM
We have two infected hosts which were scanning our entire 10.224.x.x networks.
The ASA firewall was responding to packets that were destined for networks that do not exist and are not configured behind it.
All traffic destined for networks that do not exist are dumped to the inside interface of the firewall, but why does the ASA respond to those packets? Shouldn’t it just drop them?
This is causing problems with our Sourcefire IDS/IPS because all 65k hosts in all the class C networks that were scanned were showing as being valid hosts, with the mac address of the ASA's inside interface.
This had us max out our Source Fire licensing.
Is there a setting on the ASA that prevents it from answering packets like this?
Here’s an example:
19:55:42.227815 IP 10.224.130.241.1131 > 10.227.62.4.445: Flags [S], seq 1131078073, win 65535, options [mss 1460,nop,nop,sackOK], length 0
19:55:42.228233 IP 10.227.62.4.445 > 10.224.130.241.1131: Flags [R.], seq 0, ack 1, win 65535, length 0 10.224.130.241 is a valid source, and 10.227.62.4 is not a valid destination. Yet the firewall responded to the request.
04-24-2012 09:03 AM
Can you try this option:
ip verify reverse-path inside
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/i3.html#wp1878364
Hope that helps,
Thanks,
Varun
04-25-2012 06:00 AM
Thanks Varun, but I already had this command in use for my outside and inside interface.
I ended up opening a TAC Case and was informed that the ASA will always process the first packet then drop the connection. That is why it is showing up in the logs.
04-25-2012 06:07 AM
Glad your questions are answered.
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide