cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
610
Views
0
Helpful
7
Replies

traffic hit subnet address

hanwucisco
Level 1
Level 1

When I looked at the log of our DMZ ASA, I found a lot of 443 traffic hit a subnet IP address, 1XX.XX.3.0 and the length is 24. I am just wondering, what traffic it can be?

Thanks,

Han

7 Replies 7

Panos Kampanakis
Cisco Employee
Cisco Employee

The are probably HTTPS session initiation (TCP SYN) packets, especially if the destination ip address was a http server.

What exactly did your logs show? Were they destined to the internal ip on that port?

I hope it helps.

PK

6Nov 16 201015:31:341061001XX.X.X.2125761XX.XX.3.0443access-list outside permitted tcp outside/1XX.X.X.21(2576) -> inside/1XX.XX.3.0(443) hit-cnt 1 first hit [0xbbc8eafa, 0x0]

Here you go,

thanks,

Is 1XX.XX.3.0 a subnet or a host for your internal network? Check what that ip translate to on the ASA.

But it seems like a HTTPS packet to 1XX.XX.3.0. You can capture it on the outside if you want using the capture command, just to make sure.

PK

It is a subnet.

Is your outside ACL allowing private ip packets?

Is this 8.3 and the ACL is allowing packets to the whole inside subnet?

PK

"Is your outside ACL allowing private ip packets?"===How can I know it?

"Is this 8.3" ====

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53

"is the ACL is allowing packets to the whole inside subnet?"

What maks you think of this?

thanks,

I was suggesting to check if there is a rule that says "permit xxxx ".

PK

Review Cisco Networking for a $25 gift card