https://community.cisco.com/t5/network-security/anauthorized-port-scan/m-p/2681363#M190437 <P>Please can someone interpret this log messages below for me? The IP address 10.5.4.8 was performing an unauthorized port scan in my network from within.</P><P>&nbsp;</P><P>Jun 18 2015 10:51:03 single_vf : %ASA-6-302013: Built outbound TCP connection 746450139 for outside:23.52.91.27/80 (23.52.91.27/80) to inside:10.5.4.8/17179 (139.55.126.155/17179)<BR />Jun 18 2015 10:51:04 single_vf : %ASA-6-305012: Teardown dynamic TCP translation from inside:10.5.4.8/16776 to outside:139.55.126.155/16776 duration 0:04:07<BR />Jun 18 2015 10:51:04 single_vf : %ASA-6-302014: Teardown TCP connection 746442992 for outside:98.139.199.205/443 to inside:10.5.4.8/17019 duration 0:02:00 bytes 2067 TCP FINs<BR />Jun 18 2015 10:51:05 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17182 to outside:139.55.126.155/17182<BR />Jun 18 2015 10:51:05 single_vf : %ASA-6-302013: Built outbound TCP connection 746450241 for outside:98.139.199.204/443 (98.139.199.204/443) to inside:10.5.4.8/17182 (139.55.126.155/17182)<BR />Jun 18 2015 10:51:05 single_vf : %ASA-6-302014: Teardown TCP connection 746443065 for outside:98.139.199.205/443 to inside:10.5.4.8/17024 duration 0:01:59 bytes 9383 TCP FINs<BR />Jun 18 2015 10:51:05 single_vf : %ASA-6-302014: Teardown TCP connection 746443051 for outside:98.139.199.204/443 to inside:10.5.4.8/17022 duration 0:01:59 bytes 9431 TCP FINs<BR />Jun 18 2015 10:51:05 single_vf : %ASA-6-302014: Teardown TCP connection 746443043 for outside:208.86.238.30/443 to inside:10.5.4.8/17021 duration 0:02:00 bytes 5922 TCP FINs<BR />Jun 18 2015 10:51:05 single_vf : %ASA-6-106015: Deny TCP (no connection) from 10.5.4.8/17021 to 208.86.238.30/443 flags RST&nbsp; on interface inside</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Jun 18 2015 10:51:12 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17219 to outside:139.55.126.155/17219<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-302013: Built outbound TCP connection 746450594 for outside:23.52.91.27/80 (23.52.91.27/80) to inside:10.5.4.8/17219 (139.55.126.155/17219)<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17221 to outside:139.55.126.155/17221<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-302013: Built outbound TCP connection 746450623 for outside:72.167.239.239/80 (72.167.239.239/80) to inside:10.5.4.8/17221 (139.55.126.155/17221)<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17222 to outside:139.55.126.155/17222<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-302013: Built outbound TCP connection 746450624 for outside:72.167.239.239/80 (72.167.239.239/80) to inside:10.5.4.8/17222 (139.55.126.155/17222)<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-302014: Teardown TCP connection 746450623 for outside:72.167.239.239/80 to inside:10.5.4.8/17221 duration 0:00:00 bytes 2402 TCP FINs<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-302014: Teardown TCP connection 746450624 for outside:72.167.239.239/80 to inside:10.5.4.8/17222 duration 0:00:00 bytes 2402 TCP FINs<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17226 to outside:139.55.126.155/17226<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-302013: Built outbound TCP connection 746450778 for outside:23.21.243.54/443 (23.21.243.54/443) to inside:10.5.4.8/17226 (139.55.126.155/17226)<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-302014: Teardown TCP connection 746450013 for outside:23.21.243.54/443 to inside:10.5.4.8/17163 duration 0:00:15 bytes 5729 TCP FINs<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-106015: Deny TCP (no connection) from 10.5.4.8/17163 to 23.21.243.54/443 flags RST&nbsp; on interface inside<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-302014: Teardown TCP connection 746450012 for outside:23.21.243.54/443 to inside:10.5.4.8/17164 duration 0:00:15 bytes 5729 TCP FINs<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-106015: Deny TCP (no connection) from 10.5.4.8/17164 to 23.21.243.54/443 flags RST&nbsp; on interface inside<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17228 to outside:139.55.126.155/17228<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-302013: Built outbound TCP connection 746450785 for outside:68.67.152.6/443 (68.67.152.6/443) to inside:10.5.4.8/17228 (139.55.126.155/17228)<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17227 to outside:139.55.126.155/17227<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-302013: Built outbound TCP connection 746450786 for outside:68.67.152.6/443 (68.67.152.6/443) to inside:10.5.4.8/17227 (139.55.126.155/17227)</P><P>&nbsp;</P> Tue, 12 Mar 2019 06:09:02 GMT kingsleylawani 2019-03-12T06:09:02Z https://community.cisco.com/t5/network-security/anauthorized-port-scan/m-p/2681363#M190437 <P>Please can someone interpret this log messages below for me? The IP address 10.5.4.8 was performing an unauthorized port scan in my network from within.</P><P>&nbsp;</P><P>Jun 18 2015 10:51:03 single_vf : %ASA-6-302013: Built outbound TCP connection 746450139 for outside:23.52.91.27/80 (23.52.91.27/80) to inside:10.5.4.8/17179 (139.55.126.155/17179)<BR />Jun 18 2015 10:51:04 single_vf : %ASA-6-305012: Teardown dynamic TCP translation from inside:10.5.4.8/16776 to outside:139.55.126.155/16776 duration 0:04:07<BR />Jun 18 2015 10:51:04 single_vf : %ASA-6-302014: Teardown TCP connection 746442992 for outside:98.139.199.205/443 to inside:10.5.4.8/17019 duration 0:02:00 bytes 2067 TCP FINs<BR />Jun 18 2015 10:51:05 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17182 to outside:139.55.126.155/17182<BR />Jun 18 2015 10:51:05 single_vf : %ASA-6-302013: Built outbound TCP connection 746450241 for outside:98.139.199.204/443 (98.139.199.204/443) to inside:10.5.4.8/17182 (139.55.126.155/17182)<BR />Jun 18 2015 10:51:05 single_vf : %ASA-6-302014: Teardown TCP connection 746443065 for outside:98.139.199.205/443 to inside:10.5.4.8/17024 duration 0:01:59 bytes 9383 TCP FINs<BR />Jun 18 2015 10:51:05 single_vf : %ASA-6-302014: Teardown TCP connection 746443051 for outside:98.139.199.204/443 to inside:10.5.4.8/17022 duration 0:01:59 bytes 9431 TCP FINs<BR />Jun 18 2015 10:51:05 single_vf : %ASA-6-302014: Teardown TCP connection 746443043 for outside:208.86.238.30/443 to inside:10.5.4.8/17021 duration 0:02:00 bytes 5922 TCP FINs<BR />Jun 18 2015 10:51:05 single_vf : %ASA-6-106015: Deny TCP (no connection) from 10.5.4.8/17021 to 208.86.238.30/443 flags RST&nbsp; on interface inside</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Jun 18 2015 10:51:12 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17219 to outside:139.55.126.155/17219<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-302013: Built outbound TCP connection 746450594 for outside:23.52.91.27/80 (23.52.91.27/80) to inside:10.5.4.8/17219 (139.55.126.155/17219)<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17221 to outside:139.55.126.155/17221<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-302013: Built outbound TCP connection 746450623 for outside:72.167.239.239/80 (72.167.239.239/80) to inside:10.5.4.8/17221 (139.55.126.155/17221)<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17222 to outside:139.55.126.155/17222<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-302013: Built outbound TCP connection 746450624 for outside:72.167.239.239/80 (72.167.239.239/80) to inside:10.5.4.8/17222 (139.55.126.155/17222)<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-302014: Teardown TCP connection 746450623 for outside:72.167.239.239/80 to inside:10.5.4.8/17221 duration 0:00:00 bytes 2402 TCP FINs<BR />Jun 18 2015 10:51:12 single_vf : %ASA-6-302014: Teardown TCP connection 746450624 for outside:72.167.239.239/80 to inside:10.5.4.8/17222 duration 0:00:00 bytes 2402 TCP FINs<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17226 to outside:139.55.126.155/17226<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-302013: Built outbound TCP connection 746450778 for outside:23.21.243.54/443 (23.21.243.54/443) to inside:10.5.4.8/17226 (139.55.126.155/17226)<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-302014: Teardown TCP connection 746450013 for outside:23.21.243.54/443 to inside:10.5.4.8/17163 duration 0:00:15 bytes 5729 TCP FINs<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-106015: Deny TCP (no connection) from 10.5.4.8/17163 to 23.21.243.54/443 flags RST&nbsp; on interface inside<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-302014: Teardown TCP connection 746450012 for outside:23.21.243.54/443 to inside:10.5.4.8/17164 duration 0:00:15 bytes 5729 TCP FINs<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-106015: Deny TCP (no connection) from 10.5.4.8/17164 to 23.21.243.54/443 flags RST&nbsp; on interface inside<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17228 to outside:139.55.126.155/17228<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-302013: Built outbound TCP connection 746450785 for outside:68.67.152.6/443 (68.67.152.6/443) to inside:10.5.4.8/17228 (139.55.126.155/17228)<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17227 to outside:139.55.126.155/17227<BR />Jun 18 2015 10:51:16 single_vf : %ASA-6-302013: Built outbound TCP connection 746450786 for outside:68.67.152.6/443 (68.67.152.6/443) to inside:10.5.4.8/17227 (139.55.126.155/17227)</P><P>&nbsp;</P> Tue, 12 Mar 2019 06:09:02 GMT https://community.cisco.com/t5/network-security/anauthorized-port-scan/m-p/2681363#M190437 kingsleylawani 2019-03-12T06:09:02Z https://community.cisco.com/t5/network-security/anauthorized-port-scan/m-p/2681364#M190438 <P>Hi,</P><P>These are some common connections Built and teardown messages.</P><P>What information would you like to collect from these syslogs.</P><P>I think you can find out the IP addresses and Ports numbers and if you want to stop them , apply ACL on the ASA device interface to block them.</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Fri, 19 Jun 2015 11:33:37 GMT https://community.cisco.com/t5/network-security/anauthorized-port-scan/m-p/2681364#M190438 Vibhor Amrodia 2015-06-19T11:33:37Z https://community.cisco.com/t5/network-security/anauthorized-port-scan/m-p/2681365#M190439 <P>Thanks for the responds.</P><P>KIngsley</P> Fri, 19 Jun 2015 15:18:15 GMT https://community.cisco.com/t5/network-security/anauthorized-port-scan/m-p/2681365#M190439 kingsleylawani 2015-06-19T15:18:15Z