Hi,
Wondering if anyone would have an explanation for what we are seeing in the network scan results. We recently replaced our aging firewall with a Cisco FirePower. Older firewall didn't exhibit this behavior.
So here is what's happening.
If we run a network scan (using Advanced Port Scanner tool) WHILE connected to the network via VPN we are seeing 256 live hosts, while there is only a handful of live hosts. Wireshark capture on the VPN interface reveals that the tool is sending out ARP broadcasts and getting ARP responses for every single IP of the subnet being scanned.
What's interesting is that all ARP responses come from the 00:11:22:33:44:55 MAC address assigned to the VPN interface of the FirePower.
VPN Pool 10.1.20.0/24 VPN Gateway 10.1.20.1 Subnet Being Scanned: 192.168.50.0/24
Would greatly appreciate if someone could comment on this behavior