topic Re: Inbound TCP connection denied - ASA in Network Security

Inbound TCP connection denied - ASA

edhunterr — Thu, 27 Jan 2022 09:08:17 GMT

Hello,

I'm getting these messages on my ASA and I am trying to understand why.

%ASA-2-106001: Inbound TCP connection denied from x.x.x.75/443 to 172.24.2.35/64941 flags SYN ACK on interface internet
%ASA-2-106001: Inbound TCP connection denied from x.x.x.75/443 to 172.24.2.35/64953 flags SYN ACK on interface internet
%ASA-2-106001: Inbound TCP connection denied from x.x.x.75/443 to 172.24.1.41/23887 flags ACK on interface internet
%ASA-2-106001: Inbound TCP connection denied from x.x.x.75/443 to 172.24.1.41/23887 flags ACK on interface internet
%ASA-2-106001: Inbound TCP connection denied from x.x.x.75/443 to 172.24.1.41/23887 flags FIN ACK on interface internet

Heres an overview of the network plus some more info that might help.

The user has a webrtc client for voice running, the public IP (x.x.x.75) is the Voice service provider's server/PBX. Access to the platform is fine, voice is also ok and port 443 is tested and it is open.

(disregard the /30 in the image)

I also did a capture and i get this (y.y.y.y is my public IP. I guess logging shows the internal nated IP but capture shows the actual public)

x.x.x.x.75.443 > y.y.y.y.64492: S 2894374938:2894374938(0) ack 2890855200 win 64240 <mss 1460,nop,nop,sackOK,nop,wscale 7> Drop-reason: (acl-drop) Flow is denied by configured rule

These are my acls

object network VV
subnet x.x.x.64 255.255.255.224

object-group service SERVICE
service-object icmp
service-object tcp destination eq https
service-object udp
service-object tcp source eq https

access-list GRE extended permit gre host 172.24.0.234 host Z.Z.Z.Z
access-list GRE extended permit gre host 172.24.0.234 host Z.Z.Z.Z
access-list INET_IN extended permit object-group SERVICE object VV interface internet
access-list INET_IN extended permit object-group SERVICE interface internet object VV
access-list INET_IN extended permit tcp object VV interface internet
access-list INET_IN extended permit tcp interface internet object VV

I still do not understand why I get denies on inbound traffic. The webrtc client initiates the connection with dest port 443, i do not understand the inbound displayed in the log messages though.

Any advice?

Thanks.

Re: Inbound TCP connection denied - ASA

Rob Ingram — Thu, 27 Jan 2022 10:16:01 GMT

@edhunterr please run packet-tracer from the CLI and provide the output. E.g.

packet-tracer input <inside-interface-name> tcp 172.24.1.41 3000 x.x.x.75 443

What is the 2951 gateway router doing?

What nat configuration on the ASA do you have for the object "VV"? Any relevance to the traffic flow?

Re: Inbound TCP connection denied - ASA

edhunterr — Thu, 27 Jan 2022 12:40:09 GMT

ASA2# packet-tracer input transit0 tcp 172.24.1.41 3000 x.x.x.75 443

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 internet

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (transit0,internet) after-auto source dynamic SUBNET_1_INTRANET interface
Additional Information:
Dynamic translate 172.24.1.41/3000 to y.y.y.y/3000

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (transit0,internet) after-auto source dynamic SUBNET_1_INTRANET interface
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 65909180, packet dispatched to next module

Result:
input-interface: transit0
input-status: up
input-line-status: up
output-interface: internet
output-status: up
output-line-status: up
Action: allow

The gateway is doing failover with sla and track for ISP, default routes to 2 ASAs (including this one) and then some other sla with track for failover of voice traffic. It is also in an OSPF area for the internal networks.

I dont have NATing for the specific public subnet but why would i need it since its my user that is initiating the traffic?

Btw, VV is the public subnet for this service. The one i get the Inbound TCP denies (x.x.x.75).

Re: Inbound TCP connection denied - ASA

Rob Ingram — Thu, 27 Jan 2022 12:44:41 GMT

@edhunterr run a packet capture on the inside interface of the ASA and capture the initial packet from the client 172.24.1.41 to the server .75. post the output.

Is the SLA/tracking/routing working as expected?

Re: Inbound TCP connection denied - ASA

edhunterr — Thu, 27 Jan 2022 12:46:17 GMT

How do i undo Accept as Solution, i clicked on it by mistake 🙂

I think it does. I can only see traffic on this ASA for the specific subnets and thats exactly what i wanted.

Re: Inbound TCP connection denied - ASA

Rob Ingram — Thu, 27 Jan 2022 12:52:02 GMT

@edhunterr no idea, not sure it is possible.

The ASA might have the correct routes, I was referring to the gateway router, as that is the device that is routing to the different ISPs from the client's perspective, right?

As the packet-tracer output confirmed, the traffic from inside to outside should work...but it is only simulating the traffic. Please provide the packet capture output.

Re: Inbound TCP connection denied - ASA

edhunterr — Thu, 27 Jan 2022 12:53:24 GMT

Will do. Setting it up now.

Re: Inbound TCP connection denied - ASA

edhunterr — Thu, 27 Jan 2022 12:59:29 GMT

ASA2# show capture capin

79 packets captured

1: 10:49:12.964076 172.24.1.41.1062 > x.x.x.75.443: . 879109727:879111107(1380) ack 3825543599 win 1024
2: 10:49:12.964107 172.24.1.41.1062 > x.x.x.75.443: P 879111107:879111411(304) ack 3825543599 win 1024
3: 10:49:13.043378 x.x.x.75.443 > 172.24.1.41.1062: . ack 879111411 win 501
4: 10:49:13.208393 x.x.x.75.443 > 172.24.1.41.1062: P 3825543599:3825544518(919) ack 879111411 win 501
5: 10:49:13.215366 172.24.1.41.1062 > x.x.x.75.443: P 879111411:879112745(1334) ack 3825544518 win 1020
6: 10:49:13.301559 x.x.x.75.443 > 172.24.1.41.1062: P 3825544518:3825545369(851) ack 879112745 win 501
7: 10:49:13.307418 172.24.1.41.1062 > x.x.x.75.443: . 879112745:879114125(1380) ack 3825545369 win 1024
8: 10:49:13.307448 172.24.1.41.1062 > x.x.x.75.443: P 879114125:879114139(14) ack 3825545369 win 1024
9: 10:49:13.383113 x.x.x.75.443 > 172.24.1.41.1062: . ack 879114139 win 501
10: 10:49:13.398783 x.x.x.75.443 > 172.24.1.41.1062: . 3825545369:3825546749(1380) ack 879114139 win 501
11: 10:49:13.399011 x.x.x.75.443 > 172.24.1.41.1062: . 3825546749:3825548129(1380) ack 879114139 win 501
12: 10:49:13.399027 x.x.x.75.443 > 172.24.1.41.1062: P 3825548129:3825548516(387) ack 879114139 win 501
13: 10:49:13.400202 172.24.1.41.1062 > x.x.x.75.443: . ack 3825548516 win 1024
14: 10:49:13.539232 172.24.1.41.1101 > x.x.x.75.443: S 3853373032:3853373032(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK>
15: 10:49:13.546831 172.24.1.41.1062 > x.x.x.75.443: P 879114139:879115391(1252) ack 3825548516 win 1024
16: 10:49:13.606719 172.24.1.41.1071 > x.x.x.75.443: P 766786198:766787538(1340) ack 30693156 win 1024
17: 10:49:13.611464 x.x.x.75.443 > 172.24.1.41.1101: S 2174757093:2174757093(0) ack 3853373033 win 64240 <mss 1380,nop,nop,sackOK,nop,wscale 7>
18: 10:49:13.616682 172.24.1.41.1101 > x.x.x.75.443: . ack 2174757094 win 1024
19: 10:49:13.632734 x.x.x.75.443 > 172.24.1.41.1062: P 3825548516:3825549349(833) ack 879115391 win 501
20: 10:49:13.653011 172.24.1.41.1101 > x.x.x.75.443: P 3853373033:3853373550(517) ack 2174757094 win 1024
21: 10:49:13.686716 x.x.x.75.443 > 172.24.1.41.1071: . 30693156:30694536(1380) ack 766787538 win 501
22: 10:49:13.687876 x.x.x.75.443 > 172.24.1.41.1071: P 30694536:30694661(125) ack 766787538 win 501
23: 10:49:13.691462 172.24.1.41.1071 > x.x.x.75.443: . ack 30694661 win 1024
24: 10:49:13.693643 172.24.1.41.1062 > x.x.x.75.443: . ack 3825549349 win 1020
25: 10:49:13.715386 172.24.1.41.1071 > x.x.x.75.443: P 766787538:766788794(1256) ack 30694661 win 1024
26: 10:49:13.715966 172.24.1.41.1062 > x.x.x.75.443: P 879115391:879116649(1258) ack 3825549349 win 1020
27: 10:49:13.716424 172.24.1.41.1070 > x.x.x.75.443: P 3173514276:3173515534(1258) ack 2860233050 win 1024
28: 10:49:13.717721 172.24.1.41.1061 > x.x.x.75.443: P 431239375:431240636(1261) ack 1539786872 win 1024
29: 10:49:13.720086 172.24.1.41.1069 > x.x.x.75.443: P 2852113681:2852114945(1264) ack 3183726635 win 1024
30: 10:49:13.721611 172.24.1.41.1068 > x.x.x.75.443: P 2783458801:2783460061(1260) ack 3335005028 win 1019
31: 10:49:13.723198 x.x.x.75.443 > 172.24.1.41.1101: . ack 3853373550 win 501
32: 10:49:13.724388 x.x.x.75.443 > 172.24.1.41.1101: . 2174757094:2174758474(1380) ack 3853373550 win 501
33: 10:49:13.724449 x.x.x.75.443 > 172.24.1.41.1101: . 2174758474:2174759854(1380) ack 3853373550 win 501
34: 10:49:13.724648 x.x.x.75.443 > 172.24.1.41.1101: P 2174759854:2174760992(1138) ack 3853373550 win 501
35: 10:49:13.725868 172.24.1.41.1101 > x.x.x.75.443: . ack 2174760992 win 1024
36: 10:49:13.728752 172.24.1.41.1101 > x.x.x.75.443: P 3853373550:3853373676(126) ack 2174760992 win 1024
37: 10:49:13.794773 x.x.x.75.443 > 172.24.1.41.1071: P 30694661:30695493(832) ack 766788794 win 501
38: 10:49:13.798329 x.x.x.75.443 > 172.24.1.41.1101: P 2174760992:2174761250(258) ack 3853373676 win 501
39: 10:49:13.799259 172.24.1.41.1071 > x.x.x.75.443: P 766788794:766790051(1257) ack 30695493 win 1020
40: 10:49:13.803547 x.x.x.75.443 > 172.24.1.41.1069: P 3183726635:3183727416(781) ack 2852114945 win 501
41: 10:49:13.806904 x.x.x.75.443 > 172.24.1.41.1061: . 1539786872:1539788252(1380) ack 431240636 win 501
42: 10:49:13.807819 x.x.x.75.443 > 172.24.1.41.1061: P 1539788252:1539788929(677) ack 431240636 win 501
43: 10:49:13.807865 x.x.x.75.443 > 172.24.1.41.1062: P 3825549349:3825550164(815) ack 879116649 win 501
44: 10:49:13.808353 172.24.1.41.1061 > x.x.x.75.443: . ack 1539788929 win 1024
45: 10:49:13.809024 x.x.x.75.443 > 172.24.1.41.1070: . 2860233050:2860234430(1380) ack 3173515534 win 501
46: 10:49:13.809208 x.x.x.75.443 > 172.24.1.41.1070: P 2860234430:2860234769(339) ack 3173515534 win 501
47: 10:49:13.811084 172.24.1.41.1070 > x.x.x.75.443: . ack 2860234769 win 1024
48: 10:49:13.811283 172.24.1.41.1069 > x.x.x.75.443: P 2852114945:2852116207(1262) ack 3183727416 win 1021
49: 10:49:13.811420 172.24.1.41.1101 > x.x.x.75.443: P 3853373676:3853374840(1164) ack 2174761250 win 1023
50: 10:49:13.814746 x.x.x.75.443 > 172.24.1.41.1068: P 3335005028:3335005886(858) ack 2783460061 win 501
51: 10:49:13.833254 172.24.1.41.1068 > x.x.x.75.443: P 2783460061:2783461342(1281) ack 3335005886 win 1024
52: 10:49:13.849489 172.24.1.41.1062 > x.x.x.75.443: . ack 3825550164 win 1024
53: 10:49:13.882888 x.x.x.75.443 > 172.24.1.41.1101: P 2174761250:2174761548(298) ack 3853374840 win 501
54: 10:49:13.886276 x.x.x.75.443 > 172.24.1.41.1101: P 2174761548:2174761597(49) ack 3853374840 win 501
55: 10:49:13.887679 172.24.1.41.1101 > x.x.x.75.443: . ack 2174761597 win 1021
56: 10:49:13.890868 172.24.1.41.1101 > x.x.x.75.443: P 3853374840:3853374959(119) ack 2174761597 win 1021
57: 10:49:13.890899 172.24.1.41.1101 > x.x.x.75.443: P 3853374959:3853375222(263) ack 2174761597 win 1021
58: 10:49:13.893050 x.x.x.75.443 > 172.24.1.41.1069: P 3183727416:3183728089(673) ack 2852116207 win 501
59: 10:49:13.895125 172.24.1.41.1117 > x.x.x.75.443: S 1839183153:1839183153(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK>
60: 10:49:13.912245 172.24.1.41.1069 > x.x.x.75.443: P 2852116207:2852117544(1337) ack 3183728089 win 1024
61: 10:49:13.912352 x.x.x.75.443 > 172.24.1.41.1071: . ack 766790051 win 501
62: 10:49:13.925000 172.24.1.41.1070 > x.x.x.75.443: P 3173515534:3173516797(1263) ack 2860234769 win 1024
63: 10:49:13.925946 x.x.x.75.443 > 172.24.1.41.1068: . 3335005886:3335007266(1380) ack 2783461342 win 501
64: 10:49:13.925962 x.x.x.75.443 > 172.24.1.41.1068: . 3335007266:3335008646(1380) ack 2783461342 win 501
65: 10:49:13.926023 x.x.x.75.443 > 172.24.1.41.1068: . 3335008646:3335010026(1380) ack 2783461342 win 501
66: 10:49:13.926099 172.24.1.41.1062 > x.x.x.75.443: P 879116649:879117908(1259) ack 3825550164 win 1024
67: 10:49:13.926221 x.x.x.75.443 > 172.24.1.41.1068: . 3335010026:3335011406(1380) ack 2783461342 win 501
68: 10:49:13.926389 x.x.x.75.443 > 172.24.1.41.1068: P 3335011406:3335012405(999) ack 2783461342 win 501
69: 10:49:13.926572 x.x.x.75.443 > 172.24.1.41.1071: . 30695493:30696873(1380) ack 766790051 win 501
70: 10:49:13.926618 x.x.x.75.443 > 172.24.1.41.1071: . 30696873:30698253(1380) ack 766790051 win 501
71: 10:49:13.926816 x.x.x.75.443 > 172.24.1.41.1071: . 30698253:30699633(1380) ack 766790051 win 501
72: 10:49:13.926862 x.x.x.75.443 > 172.24.1.41.1071: . 30699633:30701013(1380) ack 766790051 win 501
73: 10:49:13.926908 172.24.1.41.1061 > x.x.x.75.443: P 431240636:431241901(1265) ack 1539788929 win 1024
74: 10:49:13.927076 x.x.x.75.443 > 172.24.1.41.1071: . 30701013:30702393(1380) ack 766790051 win 501
75: 10:49:13.927167 x.x.x.75.443 > 172.24.1.41.1071: . 30702393:30703773(1380) ack 766790051 win 501
76: 10:49:13.927289 x.x.x.75.443 > 172.24.1.41.1071: . 30703773:30705153(1380) ack 766790051 win 501
77: 10:49:13.927396 x.x.x.75.443 > 172.24.1.41.1071: . 30705153:30706533(1380) ack 766790051 win 501
78: 10:49:13.927564 x.x.x.75.443 > 172.24.1.41.1071: . 30706533:30707913(1380) ack 766790051 win 501
79: 10:49:13.927686 x.x.x.75.443 > 172.24.1.41.1071: P 30707913:30708766(853) ack 766790051 win 501
79 packets shown

I dont see a deny in the logs though. Maybe i havent caught it?

Re: Inbound TCP connection denied - ASA

edhunterr — Thu, 27 Jan 2022 13:35:42 GMT

305: 10:58:47.007613 172.24.1.41.1101 > x.x.x.75.443: . ack 2174836780 win 1020
306: 10:58:47.317442 x.x.x.75.443 > 172.24.1.41.1117: P 1272852096:1272852163(67) ack 1839192868 win 501
307: 10:58:47.367855 172.24.1.41.1117 > x.x.x.75.443: . ack 1272852163 win 1021
308: 10:58:47.593780 172.24.1.41.1117 > x.x.x.75.443: P 1839192868:1839193054(186) ack 1272852163 win 1021
309: 10:58:47.665645 x.x.x.75.443 > 172.24.1.41.1117: . ack 1839193054 win 501
310: 10:58:49.965007 x.x.x.75.443 > 172.24.1.41.1101: P 2174836780:2174836847(67) ack 3853380035 win 501
311: 10:58:50.009520 172.24.1.41.1101 > x.x.x.75.443: . ack 2174836847 win 1019
312: 10:58:50.318022 x.x.x.75.443 > 172.24.1.41.1117: P 1272852163:1272852230(67) ack 1839193054 win 501
313: 10:58:50.368099 172.24.1.41.1117 > x.x.x.75.443: . ack 1272852230 win 1021

%ASA-2-106001: Inbound TCP connection denied from x.x.x.75/443 to 172.24.0.66/17267 flags RST on interface internet
%ASA-2-106001: Inbound TCP connection denied from x.x.x.75/443 to 172.24.0.66/17267 flags RST on interface internet

Edit: Sorry this is a different IP, i only added capture for 1.41. I dont see any TCP DENY for that yet.

Re: Inbound TCP connection denied - ASA

Rob Ingram — Thu, 27 Jan 2022 13:34:53 GMT

@edhunterr so it looks like you have bi-directional communication, as you can see the return traffic from the server in the packet capture. This was capturing on the inside interface right?

Those debug syslog error relates to another connection 172.24.0.66 not the client you are capturing for. So are the syslog messages only intermittent?

Re: Inbound TCP connection denied - ASA

edhunterr — Thu, 27 Jan 2022 13:43:07 GMT

Yes it was captured on transit0 which is the interface connected to my gateway. So if i do have bi-directional communication, what are the denies i get?

And yes, they are indeed intermittent.