topic Re: Firepower communicating with private network? in Network Security

Firepower communicating with private network?

Myleslandish — Sat, 08 Jun 2024 23:25:58 GMT

Hello, I’ve just redeployed my ASA5506x and noticed that I kept seeing an unfamiliar ip address popping up and with closer inspection it seems to be in direct communication with my firepower modules ip address. I don’t have nor know anyone near me that’s using the up address range of 172.22.4.33 or 172.17.4.33 but they both are clearly making/building connections and being granted access to the firepower module of the unit. If anyone has any suggestions on how to proceed please let me know. The two ip addresses are the only two that keep popping up and it isn’t occasional but constant filling up the syslog. It just started yesterday. Thank you

Re: Firepower communicating with private network?

ccieexpert — Sun, 09 Jun 2024 06:26:15 GMT

you can use the following commands:

sh conn address x.x.x.x detail

sh local-host x.x.x.x all detail

this will give you more idea of where it is coming from and what ports.

can you attach a snip of the syslog ?

then you can take a packet capture on the ASA to dig further.

Re: Firepower communicating with private network?

Sheraz.Salim — Sun, 09 Jun 2024 09:51:37 GMT

The ASA5506x are gone EOL. Use ARP tables on the ASA5506x to see the MAC addresses of the devices associated with these IPs

show arp show arp | i x.x.x.x

Capture traffic using packet capture tools (e.g., Wireshark or tcpdump) to analyze

capture cap interface [interface_name] match ip host 172.22.4.33 capture cap interface [interface_name] match ip host 172.17.4.33 show capture cap

you can also see the live syslog entries for these ip address to narrow down what are these IPs doing.

show logging | i 172.22.4.33

and you also use command

show conn address 172.22.4.33 netmask 255.255.255.255

you can refer to this Guide

Re: Firepower communicating with private network?

MHM Cisco World — Sun, 09 Jun 2024 10:00:48 GMT

Access to box or access through box ?

Access to box you need to disable http in FTD or use control plane ACL

MHM

Re: Firepower communicating with private network?

Marvin Rhoads — Sun, 09 Jun 2024 11:26:52 GMT

Since 172.16.0.0 through 172.31.255.255 are all private networks (not publicly routable), the connections must be originating somewhere on your internal network. If you are on a corporate network, they could be vulnerability scanners (authorized or unauthorized) that simply sweep through all reachable subnets periodically.

In any case they should only be granted access if they present valid credentials. A TCP conneciton will occur if something tries, for instance, to open an ssh session but does not have valid credentials.

Re: Firepower communicating with private network?

ccieexpert — Sun, 09 Jun 2024 18:34:59 GMT

not necessarily... many ISP backbones are all RFC1918... it could be a scan from them or a malicious host .. Also not all ISP do good RFC1918 filtering inside their network (may do it at peering points) so technically you could have a TCP syn somehow make it and then the response may never get back.. i actually block out any rfc1918 from the outside interface and also put null routes as safeguard

Re: Firepower communicating with private network?

Sheraz.Salim — Sun, 09 Jun 2024 20:32:52 GMT

Alright, if the issue is due to these IP addresses coming from the outside interface, then defining access-lists to deny them is a good solution. The ASA has an implicit deny rule, but if these IP addresses are reaching your Firepower module, it indicates that the access-list for the outside interface might not be configured properly. Remember, the ASA processes the packet first, and then the SFR module checks the packet.

To address this, you can define access-lists to explicitly deny these IP addresses. Here’s how you can do it
Define access-lists to deny traffic from the IP addresses 172.22.4.33 and 172.17.4.33

access-list OUTSIDE_IN extended deny ip host 172.22.4.33 any access-list OUTSIDE_IN extended deny ip host 172.17.4.33 any

Apply the access-list to the outside interface

access-group OUTSIDE_IN in interface outside

monitoring the traffic to ensure that these IP addresses are being block

show logging | include 172.22.4.33 show logging | include 172.17.4.33

Re: Firepower communicating with private network?

Myleslandish — Fri, 21 Jun 2024 12:42:47 GMT

It’s not letting me type my message no matter how I word it. Open screenshots in numerical order 1193,1194,1195,1196

Sorry for this but it’s what I deal with constantly.

Re: Firepower communicating with private network?

Myleslandish — Fri, 21 Jun 2024 12:37:29 GMT

I’m just posting this screenshot in case my post above gets removed like every other attempt.

Re: Firepower communicating with private network?

MHM Cisco World — Sat, 29 Jun 2024 01:14:15 GMT

is this issue solved or not?

can you draw topolgy and show in which interface you see this traffic

MHM

Re: Firepower communicating with private network?

Myleslandish — Sat, 06 Jul 2024 23:57:23 GMT

I keep trying to post and no matter what I say it says there’s something in it that goes against something. This is nuts

Re: Firepower communicating with private network?

Myleslandish — Sat, 06 Jul 2024 23:58:45 GMT

What could I be saying or from what I’ve said what’s possibly wrong with describing my issue and responding to questions?

Re: Firepower communicating with private network?

Myleslandish — Sun, 07 Jul 2024 00:02:39 GMT

It’s only resolved bc I shut down/changed the main access point in the main house. So I’m not seeing it anymore. But I have a question I’m surprised I can’t find online or on message boards. How do you confirm commands on the ASDM CLI? I can’t reset my wlan AP or really I can’t do many things not being able to say yes or confirm or whatever. I’ve seen shift x. But nothing works. Please if someone knows let me know. Frfr

Re: Firepower communicating with private network?

Myleslandish — Wed, 24 Jul 2024 15:38:03 GMT

I will attach a photo copy but the plain and simple thing to it is an unknown private network probing just the firepower module and always the same domain port 53. It’s every 5 seconds round the clock, it’s two slight different 172.x.x.x IPs hitting it double time; as the photo shows

Re: Firepower communicating with private network?

Marvin Rhoads — Wed, 24 Jul 2024 15:46:38 GMT

The source IP is 192.168.1.2. A device at that address is trying to access a DESTINATION address of 172.17.4.33 for DNS requests (udp/53).

Your ACL inside_Access_in is blocking the requests, probably since it is an RFC 1918 destination which should indeed be excluded from allowed outbound traffic.

Check the source host configuration for any DNS servers setup there and fix them to legitimate allowed DNS servers and the firewall logs messages will stop.

Re: Firepower communicating with private network?

MHM Cisco World — Wed, 24 Jul 2024 15:50:35 GMT

Are you use ASA ad dns server for client?

MHM