ASA Security Question
marcusaureliusbrutus
Member Posts: 73 ■■□□□□□□□□
Hi,
I am checking the logs of my ASA and find that there are several public IP addresses coming from the inside interface that are being dropped by my ASA since i have explicitly configured my NAT to translate only specified private IP addresses. What baffles me, however, is how this public source IP was able to even reach my ASA. I have a 4500 core switch with switch port mode access enabled on all interfaces except trunk ports. Any machine that will statically set its IP where that IP is not part of that vlan, won't be able to ping even the core switch.
Can anyone clarify this for me?
Thanks.
I am checking the logs of my ASA and find that there are several public IP addresses coming from the inside interface that are being dropped by my ASA since i have explicitly configured my NAT to translate only specified private IP addresses. What baffles me, however, is how this public source IP was able to even reach my ASA. I have a 4500 core switch with switch port mode access enabled on all interfaces except trunk ports. Any machine that will statically set its IP where that IP is not part of that vlan, won't be able to ping even the core switch.
Can anyone clarify this for me?
Thanks.
Comments
-
fightclub34
Member Posts: 41 ■■□□□□□□□□
do a capture of the traffic on the asa and see what you get. Maybe it will tell you if it is sourcing from elsewhere
-
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
Yup capture it, get the source MAC, do a show arp with that address piped on an include to see if it matches any known hosts (likely in this case a router, but it may be a compromised host). Also on the connected switch use show mac-address-dynamic to find which port it is originating from, traceback through your routers and Switches using arp and mac-address shows.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?