topic Hi, in Network Security

syslog message -need help

bluesea2010 — Tue, 12 Mar 2019 07:32:26 GMT

Hi,

I am getting the below messeges in my syslog

Built inbound UDP connection x.x.x.x for Outside:public ip /57360 (Public Ip/57360) to Inside:Inside local ip /53 (Inside global IP/53)

I have not permitted 53 in my access list but it bulit an inbound connection

Please help

> I have not permitted 53 in

Karsten Iwen — Thu, 24 Mar 2016 07:45:33 GMT

> I have not permitted 53 in my access list but it bulit an inbound connection

Are you sure? What is the output of

packet-tracer input outside udp 1.2.3.4 1234 INSIDE_GLOBAL_IP 53

Or show your ACL and NAT-config.

Hi

bluesea2010 — Thu, 24 Mar 2016 08:49:57 GMT

our command helped to identify the acl

Thanks

Hi,

bluesea2010 — Thu, 24 Mar 2016 11:33:03 GMT

Hi,

Just to understand ,from NAT-config how can we troubleshoot these kind of problems ?

Thanks

> Just to understand ,from

Karsten Iwen — Thu, 24 Mar 2016 18:30:29 GMT

> Just to understand ,from NAT-config how can we troubleshoot these kind of problems ?

it just could be used to see if there is any configuration that allows this inbound traffic.

Hi,

bluesea2010 — Thu, 31 Mar 2016 15:40:06 GMT

Hi,

I have done packet tracing , in packet trace acl droped , but in syslog (attached) built connection ?

packet-tracer input outside udp globaloutside 53 global inside 58610

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in OUTSIDE-IP 255.255.255.255 identity

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via WANinterface-ip, Outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks

what are you trying to

Karsten Iwen — Thu, 31 Mar 2016 15:53:53 GMT

what are you trying to simulate with these port-numbers?

packet-tracer input outside udp globaloutside 53 global inside 58610

For a real simulation the destination port has to be 53. And which addresses are you using in the trace?

Hi,

bluesea2010 — Thu, 31 Mar 2016 17:19:25 GMT

Hi,

I am getting dns amplification attack , that's why the source port is 53 (source is address is a public ip from outside and destination is my auto nat ip address which is the outside interface ip of the firewall

Thanks