Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
0
Helpful
2
Replies

Funny access list behavior??

Adam Swindell
Level 1
Level 1

‎04-30-2012 06:25 AM - edited ‎03-04-2019 04:12 PM

Hi, I have a 5505 ASA at a remote site.

There are two subnets behind this firewall. The directly connected one is 10.10.33.0/24 and the other network 10.11.33.0/24 is one hop away from the firewall.

The "inside" interface address of the firewall is 10.10.33.4/24.

This ASA is used to terminate a VPN tunnel; I have the sysopt connection permit VPN command on this device so all VPN traffic is allowed though.

Because of this, on the outside interface I have a deny any any statement.

So here is the problem. I am seeing something interesting in the logs of this ASA. It looks like the inside interface is trying to ping some lightweight access points on the 10.11.33.0/24 subnet. The controller for these access points is not at the remote location, the controller is at the main campus. The logs indicate that the access list on the outside interface is denying icmp from the inside interface of the ASA (10.10.33.4).

Apr 30 2012 08:53:02: %ASA-4-106023: Deny icmp src outside:10.10.33.4 dst inside:10.11.33.22 (type 3, code 4) by access-group "OUTSIDE_GOING_INSIDE" [0xd9ef3a90, 0x0]

Apr 30 2012 08:53:08: %ASA-4-106023: Deny icmp src outside:10.10.33.4 dst inside:10.11.33.21 (type 3, code 4) by access-group "OUTSIDE_GOING_INSIDE" [0xd9ef3a90, 0x0]

So my questions are...

Why is the access list on the outside interface denying traffic from the inside interface?

Why does it say "source outside 10.10.33.4" when the 10.10.33.0 network is the inside network?

Why is the ASA trying to ping these access points?

Does it even matter if this traffic is being dropped?

Yes, I have the access lists on the correct interfaces.

All other traffic is working as expected.

Thanks for any help anyone can give.

Labels:
0 Helpful
2 Replies 2

Dan-Ciprian Cicioiu
Level 7
Level 7

‎04-30-2012 06:41 AM

Hi Adam, 


Why is the access list on the outside interface denying traffic from the inside interface?

The logs tell you that the traffic was initiated from outside with the source 10.10.33.4 and goes to inside. I think that the acl its doing it's job

Why does it say "source outside 10.10.33.4" when the 10.10.33.0 network is the inside network?

I think that this is the right question. 

Why is the ASA trying to ping these access points?

I do not think that the ASA is generating this packets, because the ASA's interface inside has the 10.10.33.4 and your log tells that the packet was received on the outside interface. 

Does it even matter if this traffic is being dropped?

No, it doesn't matter., but I think that it's intreresting to know why and who.

Dan

0 Helpful

Adam Swindell
Level 1
Level 1
In response to Dan-Ciprian Cicioiu

‎05-14-2012 07:07 AM

Do you know if the wireless controllers might be generating these packets? And somehow the ASA is acting as a proxy or something for the ICMP packets? Even if this was the case it does not make sense as to why traffic “coming from” 10.10.33.4 would be dropped by the outside access-list. Unless something is spoofing the address of the inside interface of the ASA…

I've looked though the logs of the ASA's at other remote sites with similar configurations and this site is the only one that this is happening at. I have not found any obvious configuration differences.

The version on the ASA is 8.4.(1), I’m going to look thought the bug notes again. Maybe there is something there I have missed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card