topic Re: Investigate new TCP connections from specific port (HTTPS) in Network Security https://community.cisco.com/t5/network-security/investigate-new-tcp-connections-from-specific-port-https/m-p/3830722#M11541 <P>hmm... here some of the tips you can you to see what is happening.</P><P>&nbsp;</P><P>show conn 192.168.20.71</P><P>!</P><P>show local-host 192.168.20.71 or show local-host 192.168.20.71 brief</P><P>!</P><P>show service-policy flow tcp host 192.168.20.71 host 8.8.8.8</P><P>&nbsp;</P> Tue, 02 Apr 2019 14:59:10 GMT Sheraz.Salim 2019-04-02T14:59:10Z Investigate new TCP connections from specific port (HTTPS) https://community.cisco.com/t5/network-security/investigate-new-tcp-connections-from-specific-port-https/m-p/3830398#M11540 <P>Hi all,</P><P>I think i have a very simple question. We have a server making a lot of HTTPS connections to different IP's. We have a a specific rule in our ACL for this traffic. When building the firewall rules, i still noticed a lot of hits on the permit ip any-any rule so i digged deeper.</P><P>I found that this same server was building outbound TCP connections, but with the&nbsp;<STRONG>source port</STRONG> of tcp/443. Like this:</P><PRE>2019-04-02 08:40:36 Local6.Notice 192.168.20.71 Apr 02 2019 08:41:07: %ASA-5-106100: access-list LSPXSG4_access_in permitted tcp LSPXSG4/LSPAPPAMD211(443) -&gt; Zorgnet/172.24.140.201(14728) hit-cnt 1 first hit [0x221dee80, 0x00000000]</PRE><P>Ofcourse, i can make a ACL entry that permits this traffic based on the Source Service, but i would like to know/investigate why this is happening.&nbsp;<BR />Am i right by saying that the above entry is a&nbsp;<U>new</U> TCP Connection with Source Port of 443?<BR />I'm a bit clueless on where to start troubleshooting/capturing. Obviously it would be best to start at the source (the server) but if i would want to capture traffic there, what should i look at? Source Port 443 and some kind of TCP Syn filter or anything?</P><P>&nbsp;</P><P>Edit:<BR />I did a Wireshark capture on the source (LSPAPPAMD211). I waited for the access-list to get a new hit with tcp/443 as the source port. I checked that TCP connection in WireShark based on the destination port (random port number). I looked at it but i didn't see anything weird.<BR /><BR />If anyone has a idea why this traffic is generating hits on the any-any rule that would be great. I want to get rid of the any-any rule.</P><P>&nbsp;</P> Fri, 21 Feb 2020 16:59:54 GMT https://community.cisco.com/t5/network-security/investigate-new-tcp-connections-from-specific-port-https/m-p/3830398#M11540 Eric Snijders 2020-02-21T16:59:54Z Re: Investigate new TCP connections from specific port (HTTPS) https://community.cisco.com/t5/network-security/investigate-new-tcp-connections-from-specific-port-https/m-p/3830722#M11541 <P>hmm... here some of the tips you can you to see what is happening.</P><P>&nbsp;</P><P>show conn 192.168.20.71</P><P>!</P><P>show local-host 192.168.20.71 or show local-host 192.168.20.71 brief</P><P>!</P><P>show service-policy flow tcp host 192.168.20.71 host 8.8.8.8</P><P>&nbsp;</P> Tue, 02 Apr 2019 14:59:10 GMT https://community.cisco.com/t5/network-security/investigate-new-tcp-connections-from-specific-port-https/m-p/3830722#M11541 Sheraz.Salim 2019-04-02T14:59:10Z