Solved

Cisco ASA message

Posted on 2011-09-30
5
3,182 Views
Last Modified: 2012-05-12
Hello Experts,
I have a Cisco ASA-5520 running version 8.4(1). I've been seeing quite a few of these messages in my syslog lately. What has me concerned is that the message says that the packet originates from the inside interface & that the source is 10.37.131.58.  I have no such address space on my internal network. 192.168.1.7 is the router facing the Cisco ASA. Can someone enlighten me as to what is going on?

%ASA-4-313005: No matching connection for ICMP error message: icmp src inside:192.168.1.7 dst Outside:10.37.131.58 (type 11, code 0) on inside interface.
Original IP payload: tcp src 10.37.131.58/61004 dst 72.14.204.120/443.
0
Comment
Question by:SpokaneISD
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36892797
No, it says the destination is 10.37.131.58.

icmp src inside:192.168.1.7 dst Outside:10.37.131.58
0
 

Author Comment

by:SpokaneISD
ID: 36892853
The message is rather confusing as there are two componants:
1:  No matching connection for ICMP error message: icmp src inside:192.168.1.7 dst Outside:10.37.131.58
2: Original IP payload: tcp src 10.37.131.58/61004 dst 72.14.204.120/443.

So which is the ACTUAL source IP?
If the source of 192.168.1.7 is the real inside source, I can't figure out why my router would be trying to ping that destination address.


0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36894049
Hmm...  Good question.  Do you have a VPN tunnel to someplace that uses 10.x.x.x addressing?

Looks like the original payload is HTTPS (destination port 443).  
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 36897646
IT almost seems as if a public PC connected over 443 to your host at 192.168.1.7.    Your .7 host almost seems to be sending an ICMP echo back in response to this through the ASA, but the ASA drops it because there was no matching inbound icmp.  

0
 

Author Comment

by:SpokaneISD
ID: 36905536
So as it turns out 10.37.131.58 is on another internal network that is connected to my main internal network.  This network has a different group of administrators & they were inadvertently sending traffic towards me that should have been going out their firewall.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now