There are two subnets behind this firewall. The directly connected one is 10.10.33.0/24 and the other network 10.11.33.0/24 is one hop away from the firewall.
The "inside" interface address of the firewall is 10.10.33.4/24.
This ASA is used to terminate a VPN tunnel; I have the sysopt connection permit VPN command on this device so all VPN traffic is allowed though.
Because of this, on the outside interface I have a deny any any statement.
So here is the problem. I am seeing something interesting in the logs of this ASA. It looks like the inside interface is trying to ping some lightweight access points on the 10.11.33.0/24 subnet. The controller for these access points is not at the remote location, the controller is at the main campus. The logs indicate that the access list on the outside interface is denying icmp from the inside interface of the ASA (10.10.33.4).
Do you know if the wireless controllers might be generating these packets? And somehow the ASA is acting as a proxy or something for the ICMP packets? Even if this was the case it does not make sense as to why traffic “coming from” 10.10.33.4 would be dropped by the outside access-list. Unless something is spoofing the address of the inside interface of the ASA…
I've looked though the logs of the ASA's at other remote sites with similar configurations and this site is the only one that this is happening at. I have not found any obvious configuration differences.
The version on the ASA is 8.4.(1), I’m going to look thought the bug notes again. Maybe there is something there I have missed.
The following documents are reviewed on the Ask The Experts Session titled: Use Case Overview and Planning: Cisco DNA Center Project Planning.
Here you can find editable versions of the
Solution Requirements Document UCOP_CiscoDNACenterProjectPlann...
If so, we’d like to speak with you to understand you and your team’s process on how you monitor and troubleshoot network traffic.
We ask that you complete our brief survey: https://ciscoux.az1.qualtrics.com/jfe/form/SV_d4LYJ5oWqWj9CCy Based on your ...
Listen: https://smarturl.it/CCRS8E38 Follow us: twitter.com/CiscoChampionAdding learning capabilities to the internet will increase the overall network SLO and application experience. Real data driven experiments have shown that such an approach...
Listen: https://smarturl.it/CCRS8E37Follow us: twitter.com/ciscochampionSometimes, situations require temporary fixes. Sometimes, the network becomes an afterthought in overall office design and planning. In either situation, it may require netw...
In this special edition of the Insider Series, we hear from Cisco partners who have taken steps to be more eco-friendly and sustainable. We hear what inspires ASHRAE, Southwire, Igor, and NTT to create a workplace that is centered around people and how th...