• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3594
  • Last Modified:

Cisco ASA message

Hello Experts,
I have a Cisco ASA-5520 running version 8.4(1). I've been seeing quite a few of these messages in my syslog lately. What has me concerned is that the message says that the packet originates from the inside interface & that the source is 10.37.131.58.  I have no such address space on my internal network. 192.168.1.7 is the router facing the Cisco ASA. Can someone enlighten me as to what is going on?

%ASA-4-313005: No matching connection for ICMP error message: icmp src inside:192.168.1.7 dst Outside:10.37.131.58 (type 11, code 0) on inside interface.
Original IP payload: tcp src 10.37.131.58/61004 dst 72.14.204.120/443.
0
SpokaneISD
Asked:
SpokaneISD
  • 2
  • 2
1 Solution
 
jmeggersSr. Network and Security EngineerCommented:
No, it says the destination is 10.37.131.58.

icmp src inside:192.168.1.7 dst Outside:10.37.131.58
0
 
SpokaneISDAuthor Commented:
The message is rather confusing as there are two componants:
1:  No matching connection for ICMP error message: icmp src inside:192.168.1.7 dst Outside:10.37.131.58
2: Original IP payload: tcp src 10.37.131.58/61004 dst 72.14.204.120/443.

So which is the ACTUAL source IP?
If the source of 192.168.1.7 is the real inside source, I can't figure out why my router would be trying to ping that destination address.


0
 
jmeggersSr. Network and Security EngineerCommented:
Hmm...  Good question.  Do you have a VPN tunnel to someplace that uses 10.x.x.x addressing?

Looks like the original payload is HTTPS (destination port 443).  
0
 
MikeKaneCommented:
IT almost seems as if a public PC connected over 443 to your host at 192.168.1.7.    Your .7 host almost seems to be sending an ICMP echo back in response to this through the ASA, but the ASA drops it because there was no matching inbound icmp.  

0
 
SpokaneISDAuthor Commented:
So as it turns out 10.37.131.58 is on another internal network that is connected to my main internal network.  This network has a different group of administrators & they were inadvertently sending traffic towards me that should have been going out their firewall.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now