Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
821
Views
0
Helpful
3
Replies

Outside traffic not destined for my outside address showing up in ASDM Syslog

Ken D
Level 1
Level 1

‎04-12-2011 01:14 PM - edited ‎03-09-2019 11:28 PM

Hi everybody! This may be a silly question but would there be a reason why I would be getting traffic on my outside interface that has a destination address which is not my assigned outside address? I recently set up my ASA 5505 on the network and gave it an available outside address of say 192.x.x.250 on interface vlan 100. When I assign vlan 100 to e0/0 and bring the port up, I start seeing lots of traffic pour into the ASDM Syslog with various destinations belonging to my subnet but that are not actually destined for my specific outside address of 192.x.x.250.

They are showing a destination of say 192.x.x.85 or 192.x.x.29.

Any thoughts as to how and why this is happening/possible?

Thanks in advance!!!!

Labels:
0 Helpful
3 Replies 3

Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-12-2011 02:04 PM

Hi Ken,

If you could provide the sylogs over here, then we could try to narrow out why exactly it is happening.

I can think of two reasons for now:

1. ARP requests. The MAC address for a ARP request would be the broadcast MAC address, and thus would reach all machines on the same subnet.

2. The ASA might have an incorrect nat configuration, which causes it to PROXY ARP for all ips in the subnet.

Thus sometimes, the other devices get the ASA's ARP reply instead of the actual device. Thus the traffic comes to the ASA instead of the actual device.

However, I can't be sure why its happening, unless I have a look at the syslogs.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

0 Helpful

Ken D
Level 1
Level 1
In response to Shrikant Sundaresh

‎05-20-2011 11:19 AM

Hi Shrikant, thanks for replying and sorry disappearing like that!! Got overwhelmed with other projects here. Anyhoo, did you want me to just do a data dump of the traffic for you to check out or is there other info you want?

To give a little more detail as to what is going on, most of the traffic that I am receiving are TCP SYN and SYN/ACK packets primarily to port 445 which I know is probably just some evil scanner out there. I have since removed any NAT/PAT settings and routes so at this point I basically have my ASA with Outside and Inside interfaces configured with their respective IP's and have them up. With this configuration I can still see the traffic pour into the ASDM even when it's not addressed to my outside interface.

Thanks again for all your help!

-Ken

0 Helpful

Ken D
Level 1
Level 1
In response to Shrikant Sundaresh

‎05-20-2011 11:40 AM

Small traffic dump attached.

86679-ASDM dump.zip
0 Helpful
Customers Also Viewed These Support Documents