Hello everybody, Thanks for your advices.
I have about five servers behind a Cisco ASA 5510, using local IP addresses, like 192.168.0.0/24, on a switch.
The Cisco provides static NAT on some ports. For instance, I have a mail server, and the Cisco make static NAT on ports 993 and 25 only. If I try to access on port 8000 or 8080 with telnet from an external IP, the connection is refused, which is normal.
Because I don't trust other machines already in place, I have temporary added a software firewall on it. It's a simple linux mail server, and the firewall is iptables. The input/output/forward policies are set to log/ drop.
However, I receive on this internal interface packets that "seems" come from external addresses, for instance 60.172.223.15, to port 8000.
So, here my questions.
I think the Cisco doesn't left enter IP spoofed packets on the external interface. Can you confirm this.
So, it's a local server that send IP spoofed packets, and try to bounce on my server ?
Or the ip spoofed packets come directly from my mail server ?
Thanks again.