I am seeing the following messages in my ASA Log files:
2015-09-10T14:22:07.860487-05:00 natbox %ASA-2-106006: Deny inbound UDP from 172.17.136.168/16403 to 172.17.136.168/16403 on interface Outside_128.255.2.116/30
2015-09-10T14:22:07.860487-05:00 natbox %ASA-2-106006: Deny inbound UDP from 172.17.136.168/16403 to 172.17.136.168/16403 on interface Outside_128.255.2.116/30
2015-09-10T14:22:07.860491-05:00 natbox %ASA-2-106006: Deny inbound UDP from 172.17.136.168/16403 to 172.17.136.168/16403 on interface Outside_128.255.2.116/30
The 172.17.128.0/17 network should be internal (on the inside interface of the NAT box) and not appear on the Outside Interface.
Here are the NAT statements from the config:
object network WLAN_USR_GLOBAL_POOL_129_255_228_0
range 129.255.228.10 129.255.231.254
object network ARUBA_LOCAL_172_17_128_0
subnet 172.17.128.0 255.255.128.0
object network ARUBA_LOCAL_172_17_128_0
nat (any,any) dynamic pat-pool WLAN_USR_GLOBAL_POOL_129_255_228_0 round-robin
UPDATE: I executed a small packet capture on the outgoing interface of the ASA and I'm not seeing any traffic from 172.17.128.0/17. So I suspect something else.
Update Simplified Diagram:
Traffic to the Internet follows the wireless routers default route to the ASA to be NAT'd.
Traffic to internal networks is routed by more specific routes directly to the core router.
Update 2015-09-15 The Cisco TAC recommended that I specify the source and destination interfaces rather than (any,any), so I did that. It did not make a difference.
Thanks.
Best Answer
It turns out that for some reason inside hosts where trying to talk to other inside hosts using their public IP. We suspect some sort of service where the public IP is registered.
To prevent the traffic from reaching the ASA we put a routing statement to black-hole traffic coming from the inside to outside addresses.