11-16-2010 08:51 AM - edited 03-11-2019 12:10 PM
When I looked at the log of our DMZ ASA, I found a lot of 443 traffic hit a subnet IP address, 1XX.XX.3.0 and the length is 24. I am just wondering, what traffic it can be?
Thanks,
Han
11-16-2010 12:13 PM
The are probably HTTPS session initiation (TCP SYN) packets, especially if the destination ip address was a http server.
What exactly did your logs show? Were they destined to the internal ip on that port?
I hope it helps.
PK
11-16-2010 12:35 PM
6 | Nov 16 2010 | 15:31:34 | 106100 | 1XX.X.X.21 | 2576 | 1XX.XX.3.0 | 443 | access-list outside permitted tcp outside/1XX.X.X.21(2576) -> inside/1XX.XX.3.0(443) hit-cnt 1 first hit [0xbbc8eafa, 0x0] |
Here you go,
thanks,
11-16-2010 12:59 PM
Is 1XX.XX.3.0 a subnet or a host for your internal network? Check what that ip translate to on the ASA.
But it seems like a HTTPS packet to 1XX.XX.3.0. You can capture it on the outside if you want using the capture command, just to make sure.
PK
11-16-2010 01:04 PM
It is a subnet.
11-16-2010 01:09 PM
Is your outside ACL allowing private ip packets?
Is this 8.3 and the ACL is allowing packets to the whole inside subnet?
PK
11-16-2010 02:04 PM
"Is your outside ACL allowing private ip packets?"===How can I know it?
"Is this 8.3" ====
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53
"is the ACL is allowing packets to the whole inside subnet?"
What maks you think of this?
thanks,
11-16-2010 02:16 PM
I was suggesting to check if there is a rule that says "permit xxxx
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide