topic Re: ASA leaking internal IP in Network Security

ASA leaking internal IP

Brianoh733 — Tue, 04 Aug 2020 16:29:42 GMT

Hi,

We had a external pen test done and we were told that our firewall is leaking internal IP address. (Waiting for the official report)

I started gathering some logs and did find nmap from external to internal host. (Source was public IP and destination was our internal IP)

I am a beginner level and I have checked ASA and I do not find any holes.

Can someone please point me in right direction.

We have one to one static NAT for our public facing services. ASA 5515

Attach is a screenshot from PCAP file.

Thank you,

Brian

Re: ASA leaking internal IP

Marvin Rhoads — Tue, 04 Aug 2020 17:04:23 GMT

More than once I have seen external "pen tests" report false positives. If you can share more details we can have a look at it.

Re: ASA leaking internal IP

Mohammed al Baqari — Tue, 04 Aug 2020 17:06:40 GMT

Private IPs are not routable over internet. To confirm that the responses
are from your actual hosts use -sV option in nmap. This will fingerprint
the service.

Re: ASA leaking internal IP

Brianoh733 — Tue, 04 Aug 2020 18:04:13 GMT

Attach file is a report from Nessus scan. I ran from public internet and targeted one of our public server.

Re: ASA leaking internal IP

Brianoh733 — Tue, 04 Aug 2020 18:05:46 GMT

This are our current alerts from the SIEM. All the destinations shows private IP now.

Re: ASA leaking internal IP

Mohammed al Baqari — Tue, 04 Aug 2020 18:27:40 GMT

Hi, most likely this is from your isp proxy instead of your hosts.

Run nmap -n -v -sT -sV ##ip### -p 80,443

See if the response match the version of your iis/Apache

Re: ASA leaking internal IP

Brianoh733 — Tue, 04 Aug 2020 19:06:23 GMT

I ran the one nmap from a system on public internet targeting our web server public IP and I ran second nmap from a system inside our network targeting our webserver internal IP.

Both the results were same.

PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Re: ASA leaking internal IP

Brianoh733 — Wed, 05 Aug 2020 06:18:42 GMT

I did the NMAP scan from public internet to our public facing server public IP and capture the logs from my ASA.

The logs on ASA showed my laptop public IP as source but showed my public facing server private IP as destination.

That's probably cause of NAT?

Is that a normal for ASA so show private IP of my public server as destination under the logs? Rather than public IP on which NMAP was ran?

My SIEM get's logs from ASA and since ASA has destination IP as private IP, my SIEM alerts me of an External to Internal one on one scan.

Brian.