topic Re: How does this connection attempt to reach internal device? in Network Security

How does this connection attempt to reach internal device?

Jack G — Wed, 01 Jun 2022 14:19:01 GMT

How does a connection from an internet device reach the firewall's outside interface with a connection to a private IP? It's blocked, but still concerning some since I don't have a static NAT for this device, etc.

Re: How does this connection attempt to reach internal device?

balaji.bandi — Wed, 01 Jun 2022 14:26:12 GMT

what is the IP 10.239.36.133 ?

Re: How does this connection attempt to reach internal device?

Jack G — Wed, 01 Jun 2022 14:27:47 GMT

That's an internal server. There's a route on the firewall on how to get to that server.

Re: How does this connection attempt to reach internal device?

balaji.bandi — Wed, 01 Jun 2022 14:32:30 GMT

if that public routable IP, then do you have any rule block outside to inside ?

Re: How does this connection attempt to reach internal device?

Jack G — Wed, 01 Jun 2022 14:36:38 GMT

Yes, it's called block, also the default action would block it, but not sure how 10.239.36.133 is getting into the connection event.

Re: How does this connection attempt to reach internal device?

Marius Gunnerud — Wed, 01 Jun 2022 19:49:53 GMT

What is the IP of SB01MAG01 ?

Are there any other NAT statements other than the three that you posted?

My initial thought is that 10.239.36.133 sends some packets to a destination public IP which then redirects to 192.241.212.215.

Re: How does this connection attempt to reach internal device?

Jack G — Wed, 01 Jun 2022 19:54:56 GMT

SB01MAG01 is 10.220.10.5, so that's not it. RAVPN is enabled on the outside interface which the connector was toward.

Re: How does this connection attempt to reach internal device?

Marius Gunnerud — Wed, 01 Jun 2022 20:23:24 GMT

I still suspect that a redirect is happening. That 10.239.36.133 is sending to the internet via dynamic NAT and then whichever IP it sends to redirects to 192.241.212.215 and then the return traffic does not match any existing connection and gets dropped.

Re: How does this connection attempt to reach internal device?

MHM Cisco World — Thu, 02 Jun 2022 13:20:29 GMT

I think is half-open DDoS if you see only SYN and there is no ACK.

""Protect Servers from a SYN Flood DoS Attack (TCP Intercept)

A SYN-flooding denial of service (DoS) attack occurs when an attacker sends a series of SYN packets to a host. These packets usually originate from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing connection requests from legitimate users.

You can limit the number of embryonic connections to help prevent SYN flooding attacks. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.

When the embryonic connection threshold of a connection is crossed, the ASA acts as a proxy for the server and generates a SYN-ACK response to the client SYN request using the SYN cookie method (see Wikipedia for details on SYN cookies). When the ASA receives an ACK back from the client, it can then authenticate that the client is real and allow the connection to the server. The component that performs the proxy is called TCP Intercept.

The end-to-end process for protecting a server from a SYN flood attack involves setting connection limits, enabling TCP Intercept statistics, and then monitoring the results.""

Re: How does this connection attempt to reach internal device?

Marius Gunnerud — Fri, 03 Jun 2022 06:59:24 GMT

If this was a DDoS attack the log would be flooded with SYN messages from the internet. As the poster has not yet stated that this is the case I currently doubt that this is of concern.

Re: How does this connection attempt to reach internal device?

MHM Cisco World — Fri, 03 Jun 2022 13:53:20 GMT

we see only SYN not complete handshake, this is why I think it DDoS.

Re: How does this connection attempt to reach internal device?

Marius Gunnerud — Sat, 04 Jun 2022 11:52:06 GMT

Fair enough, but a DDoS attack will have many more entries than just a few now and then, also it will have an affect on the firewall resources. I think the subject of this post would have been different if this really was a DDoS.

Re: How does this connection attempt to reach internal device?

Jack G — Tue, 21 Jun 2022 19:55:54 GMT

Appears to be a bug: CSCvy33676 : Bug Search Tool (cisco.com)