Solved

Cisco ASA message

Posted on 2011-09-30
5
3,330 Views
Last Modified: 2012-05-12
Hello Experts,
I have a Cisco ASA-5520 running version 8.4(1). I've been seeing quite a few of these messages in my syslog lately. What has me concerned is that the message says that the packet originates from the inside interface & that the source is 10.37.131.58.  I have no such address space on my internal network. 192.168.1.7 is the router facing the Cisco ASA. Can someone enlighten me as to what is going on?

%ASA-4-313005: No matching connection for ICMP error message: icmp src inside:192.168.1.7 dst Outside:10.37.131.58 (type 11, code 0) on inside interface.
Original IP payload: tcp src 10.37.131.58/61004 dst 72.14.204.120/443.
0
Comment
Question by:SpokaneISD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36892797
No, it says the destination is 10.37.131.58.

icmp src inside:192.168.1.7 dst Outside:10.37.131.58
0
 

Author Comment

by:SpokaneISD
ID: 36892853
The message is rather confusing as there are two componants:
1:  No matching connection for ICMP error message: icmp src inside:192.168.1.7 dst Outside:10.37.131.58
2: Original IP payload: tcp src 10.37.131.58/61004 dst 72.14.204.120/443.

So which is the ACTUAL source IP?
If the source of 192.168.1.7 is the real inside source, I can't figure out why my router would be trying to ping that destination address.


0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36894049
Hmm...  Good question.  Do you have a VPN tunnel to someplace that uses 10.x.x.x addressing?

Looks like the original payload is HTTPS (destination port 443).  
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 36897646
IT almost seems as if a public PC connected over 443 to your host at 192.168.1.7.    Your .7 host almost seems to be sending an ICMP echo back in response to this through the ASA, but the ASA drops it because there was no matching inbound icmp.  

0
 

Author Comment

by:SpokaneISD
ID: 36905536
So as it turns out 10.37.131.58 is on another internal network that is connected to my main internal network.  This network has a different group of administrators & they were inadvertently sending traffic towards me that should have been going out their firewall.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question